xref: /titanic_51/usr/src/lib/libsmbfs/smb/negprot.c (revision a24e89c4a1eec8361718d94a6275e6720643284e)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 /*
34  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
35  * Use is subject to license terms.
36  */
37 
38 /*
39  * SMB Negotiate Protocol, and related.
40  * Copied from the driver: smb_smb.c
41  */
42 
43 #include <errno.h>
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <unistd.h>
47 #include <strings.h>
48 #include <netdb.h>
49 #include <libintl.h>
50 #include <xti.h>
51 #include <assert.h>
52 
53 #include <sys/types.h>
54 #include <sys/time.h>
55 #include <sys/byteorder.h>
56 #include <sys/socket.h>
57 #include <sys/fcntl.h>
58 
59 #include <netinet/in.h>
60 #include <netinet/tcp.h>
61 #include <arpa/inet.h>
62 
63 #include <netsmb/smb.h>
64 #include <netsmb/smb_lib.h>
65 #include <netsmb/netbios.h>
66 #include <netsmb/nb_lib.h>
67 #include <netsmb/smb_dev.h>
68 
69 #include "charsets.h"
70 #include "private.h"
71 
72 /*
73  * SMB dialects that we know about.
74  */
75 struct smb_dialect {
76 	int		d_id;
77 	const char	*d_name;
78 };
79 static struct smb_dialect smb_dialects[] = {
80 	{SMB_DIALECT_CORE,	"PC NETWORK PROGRAM 1.0"},
81 	{SMB_DIALECT_LANMAN1_0,	"LANMAN1.0"},
82 	{SMB_DIALECT_LANMAN2_0,	"LM1.2X002"},
83 	{SMB_DIALECT_LANMAN2_1,	"LANMAN2.1"},
84 	{SMB_DIALECT_NTLM0_12,	"NT LM 0.12"},
85 	{-1,			NULL}
86 };
87 
88 #define	SMB_DIALECT_MAX \
89 	(sizeof (smb_dialects) / sizeof (struct smb_dialect) - 2)
90 
91 /*
92  * SMB Negotiate Protocol
93  * Based on code from the driver: smb_smb.c
94  *
95  * If using Extended Security, oblob (output)
96  * will hold the initial security "hint".
97  */
98 int
99 smb_negprot(struct smb_ctx *ctx, struct mbdata *oblob)
100 {
101 	struct smb_sopt *sv = &ctx->ct_sopt;
102 	struct smb_iods *is = &ctx->ct_iods;
103 	struct smb_rq	*rqp;
104 	struct mbdata	*mbp;
105 	struct smb_dialect *dp;
106 	int err, len;
107 	uint8_t wc, stime[8], eklen;
108 	uint16_t dindex, bc;
109 	int will_sign = 0;
110 
111 	/*
112 	 * Initialize: vc_hflags and vc_hflags2.
113 	 * Note: ctx->ct_hflags* are copied into the
114 	 * (per request) rqp->rq_hflags* by smb_rq_init,
115 	 * so changing them after that call will not
116 	 * affect THIS request.
117 	 */
118 	ctx->ct_hflags = SMB_FLAGS_CASELESS;
119 	ctx->ct_hflags2 = (SMB_FLAGS2_ERR_STATUS |
120 	    SMB_FLAGS2_KNOWS_LONG_NAMES);
121 
122 	/*
123 	 * Sould we offer extended security?
124 	 * We'll turn this back off below if
125 	 * the server doesn't support it.
126 	 */
127 	if (ctx->ct_vopt & SMBVOPT_EXT_SEC)
128 		ctx->ct_hflags2 |= SMB_FLAGS2_EXT_SEC;
129 
130 	/*
131 	 * The initial UID needs to be zero,
132 	 * or Windows XP says "bad user".
133 	 * The initial TID is all ones, but
134 	 * we don't use it or store it here
135 	 * because the driver handles that.
136 	 */
137 	is->is_smbuid = 0;
138 
139 	/*
140 	 * In case we're reconnecting,
141 	 * free previous stuff.
142 	 */
143 	ctx->ct_mac_seqno = 0;
144 	if (ctx->ct_mackey != NULL) {
145 		free(ctx->ct_mackey);
146 		ctx->ct_mackey = NULL;
147 		ctx->ct_mackeylen = 0;
148 	}
149 
150 	sv = &ctx->ct_sopt;
151 	bzero(sv, sizeof (struct smb_sopt));
152 
153 	err = smb_rq_init(ctx, SMB_COM_NEGOTIATE, &rqp);
154 	if (err)
155 		return (err);
156 
157 	/*
158 	 * Build the SMB request.
159 	 */
160 	mbp = &rqp->rq_rq;
161 	mb_put_uint8(mbp, 0);			/* word count */
162 	smb_rq_bstart(rqp);
163 	for (dp = smb_dialects; dp->d_id != -1; dp++) {
164 		mb_put_uint8(mbp, SMB_DT_DIALECT);
165 		mb_put_astring(mbp, dp->d_name);
166 	}
167 	smb_rq_bend(rqp);
168 
169 	/*
170 	 * This does the OTW call
171 	 */
172 	err = smb_rq_internal(ctx, rqp);
173 	if (err) {
174 		DPRINT("call failed, err %d", err);
175 		goto errout;
176 	}
177 	if (rqp->rq_status != 0) {
178 		DPRINT("nt status 0x%x", rqp->rq_status);
179 		err = EBADRPC;
180 		goto errout;
181 	}
182 
183 	/*
184 	 * Decode the response
185 	 *
186 	 * Comments to right show names as described in
187 	 * The Microsoft SMB Protocol spec. [MS-SMB]
188 	 * section 2.2.3
189 	 */
190 	mbp = &rqp->rq_rp;
191 	(void) mb_get_uint8(mbp, &wc);
192 	err = mb_get_uint16le(mbp, &dindex);
193 	if (err || dindex > SMB_DIALECT_MAX) {
194 		DPRINT("err %d dindex %d", err, (int)dindex);
195 		goto errout;
196 	}
197 	dp = smb_dialects + dindex;
198 	sv->sv_proto = dp->d_id;
199 	DPRINT("Dialect %s", dp->d_name);
200 	if (dp->d_id < SMB_DIALECT_NTLM0_12) {
201 		/* XXX: User-visible warning too? */
202 		DPRINT("old dialect %s", dp->d_name);
203 		goto errout;
204 	}
205 	if (wc != 17) {
206 		DPRINT("bad wc %d", (int)wc);
207 		goto errout;
208 	}
209 	mb_get_uint8(mbp, &sv->sv_sm);		/* SecurityMode */
210 	mb_get_uint16le(mbp, &sv->sv_maxmux);	/* MaxMpxCount */
211 	mb_get_uint16le(mbp, &sv->sv_maxvcs);	/* MaxCountVCs */
212 	mb_get_uint32le(mbp, &sv->sv_maxtx);	/* MaxBufferSize */
213 	mb_get_uint32le(mbp, &sv->sv_maxraw);	/* MaxRawSize */
214 	mb_get_uint32le(mbp, &sv->sv_skey);	/* SessionKey */
215 	mb_get_uint32le(mbp, &sv->sv_caps);	/* Capabilities */
216 	mb_get_mem(mbp, (char *)stime, 8);	/* SystemTime(s) */
217 	mb_get_uint16le(mbp, (uint16_t *)&sv->sv_tz);
218 	mb_get_uint8(mbp, &eklen);	/* EncryptionKeyLength */
219 	err = mb_get_uint16le(mbp, &bc);	/* ByteCount */
220 	if (err)
221 		goto errout;
222 
223 	/* BEGIN CSTYLED */
224 	/*
225 	 * Will we do SMB signing?  Or block the connection?
226 	 * The table below describes this logic.  References:
227 	 * [Windows Server Protocols: MS-SMB, sec. 3.2.4.2.3]
228 	 * http://msdn.microsoft.com/en-us/library/cc212511.aspx
229 	 * http://msdn.microsoft.com/en-us/library/cc212929.aspx
230 	 *
231 	 * Srv/Cli     | Required | Enabled    | If Required | Disabled
232 	 * ------------+----------+------------+-------------+-----------
233 	 * Required    | Signed   | Signed     | Signed      | Blocked [1]
234 	 * ------------+----------+------------+-------------+-----------
235 	 * Enabled     | Signed   | Signed     | Not Signed  | Not Signed
236 	 * ------------+----------+------------+-------------+-----------
237 	 * If Required | Signed   | Not Signed | Not Signed  | Not Signed
238 	 * ------------+----------+------------+-------------+-----------
239 	 * Disabled    | Blocked  | Not Signed | Not Signed  | Not Signed
240 	 *
241 	 * [1] Like Windows 2003 and later, we don't really implement
242 	 * the "Disabled" setting.  Instead we implement "If Required",
243 	 * so we always sign if the server requires signing.
244 	 */
245 	/* END CSTYLED */
246 
247 	if (sv->sv_sm & SMB_SM_SIGS_REQUIRE) {
248 		/*
249 		 * Server requires signing.  We will sign,
250 		 * even if local setting is "disabled".
251 		 */
252 		will_sign = 1;
253 	} else if (sv->sv_sm & SMB_SM_SIGS) {
254 		/*
255 		 * Server enables signing (client's option).
256 		 * If enabled locally, do signing.
257 		 */
258 		if (ctx->ct_vopt & SMBVOPT_SIGNING_ENABLED)
259 			will_sign = 1;
260 		/* else not signing. */
261 	} else {
262 		/*
263 		 * Server does not support signing.
264 		 * If we "require" it, bail now.
265 		 */
266 		if (ctx->ct_vopt & SMBVOPT_SIGNING_REQUIRED) {
267 			DPRINT("Client requires signing "
268 			    "but server has it disabled.");
269 			err = EBADRPC;
270 			goto errout;
271 		}
272 	}
273 
274 	if (will_sign) {
275 		ctx->ct_vcflags |= SMBV_WILL_SIGN;
276 	}
277 	DPRINT("Security signatures: %d", will_sign);
278 
279 	if (sv->sv_caps & SMB_CAP_UNICODE) {
280 		ctx->ct_vcflags |= SMBV_UNICODE;
281 		ctx->ct_hflags2 |= SMB_FLAGS2_UNICODE;
282 
283 	}
284 	if ((sv->sv_caps & SMB_CAP_STATUS32) == 0) {
285 		/*
286 		 * They don't do NT error codes.
287 		 *
288 		 * If we send requests with
289 		 * SMB_FLAGS2_ERR_STATUS set in
290 		 * Flags2, Windows 98, at least,
291 		 * appears to send replies with that
292 		 * bit set even though it sends back
293 		 * DOS error codes.  (They probably
294 		 * just use the request header as
295 		 * a template for the reply header,
296 		 * and don't bother clearing that bit.)
297 		 *
298 		 * Therefore, we clear that bit in
299 		 * our vc_hflags2 field.
300 		 */
301 		ctx->ct_hflags2 &= ~SMB_FLAGS2_ERR_STATUS;
302 	}
303 	if (dp->d_id == SMB_DIALECT_NTLM0_12 &&
304 	    sv->sv_maxtx < 4096 &&
305 	    (sv->sv_caps & SMB_CAP_NT_SMBS) == 0) {
306 		ctx->ct_vcflags |= SMBV_WIN95;
307 		DPRINT("Win95 detected");
308 	}
309 
310 	/*
311 	 * The rest of the message varies depending on
312 	 * whether we've negotiated "extended security".
313 	 *
314 	 * With extended security, we have:
315 	 *	Server_GUID	(length 16)
316 	 *	Security_BLOB
317 	 * Otherwise we have:
318 	 *	EncryptionKey (length is eklen)
319 	 *	PrimaryDomain
320 	 */
321 	if (sv->sv_caps & SMB_CAP_EXT_SECURITY) {
322 		struct mbuf *m;
323 		DPRINT("Ext.Security: yes");
324 
325 		/*
326 		 * Skip the server GUID.
327 		 */
328 		err = mb_get_mem(mbp, NULL, SMB_GUIDLEN);
329 		if (err)
330 			goto errout;
331 		/*
332 		 * Remainder is the security blob.
333 		 * Note: eklen "must be ignored" [MS-SMB]
334 		 */
335 		len = (int)bc - SMB_GUIDLEN;
336 		if (len < 0)
337 			goto errout;
338 
339 		/*
340 		 * Get the (optional) SPNEGO "hint".
341 		 */
342 		err = mb_get_mbuf(mbp, len, &m);
343 		if (err)
344 			goto errout;
345 		mb_initm(oblob, m);
346 		oblob->mb_count = len;
347 	} else {
348 		DPRINT("Ext.Security: no");
349 		ctx->ct_hflags2 &= ~SMB_FLAGS2_EXT_SEC;
350 
351 		/*
352 		 * Save the "Encryption Key" (the challenge).
353 		 *
354 		 * Sanity check: make sure the sec. blob length
355 		 * isn't bigger than the byte count.
356 		 */
357 		if (bc < eklen || eklen < NTLM_CHAL_SZ) {
358 			err = EBADRPC;
359 			goto errout;
360 		}
361 		err = mb_get_mem(mbp, (char *)ctx->ct_ntlm_chal, NTLM_CHAL_SZ);
362 		/*
363 		 * Server domain follows (ignored)
364 		 * Note: NOT aligned(2) - unusual!
365 		 */
366 	}
367 
368 	smb_rq_done(rqp);
369 
370 	/*
371 	 * A few sanity checks on what we received,
372 	 * becuse we will send these in ssnsetup.
373 	 *
374 	 * Maximum outstanding requests (we care),
375 	 * and Max. VCs (we only use one).  Also,
376 	 * MaxBufferSize lower limit per spec.
377 	 */
378 	if (sv->sv_maxmux < 1)
379 		sv->sv_maxmux = 1;
380 	if (sv->sv_maxvcs < 1)
381 		sv->sv_maxvcs = 1;
382 	if (sv->sv_maxtx < 1024)
383 		sv->sv_maxtx = 1024;
384 
385 	/*
386 	 * Maximum transfer size.
387 	 * Sanity checks:
388 	 *
389 	 * Let's be conservative about an upper limit here.
390 	 * Win2k uses 16644 (and others) so 32k should be a
391 	 * reasonable sanity limit for this value.
392 	 *
393 	 * Note that this limit does NOT affect READX/WRITEX
394 	 * with CAP_LARGE_..., which we nearly always use.
395 	 */
396 	is->is_txmax = sv->sv_maxtx;
397 	if (is->is_txmax > 0x8000)
398 		is->is_txmax = 0x8000;
399 
400 	/*
401 	 * Max read/write sizes, WITHOUT overhead.
402 	 * This is just the payload size, so we must
403 	 * leave room for the SMB headers, etc.
404 	 * This is just the ct_txmax value, but
405 	 * reduced and rounded down.  Tricky bit:
406 	 *
407 	 * Servers typically give us a value that's
408 	 * some nice "round" number, i.e 0x4000 plus
409 	 * some overhead, i.e. Win2k: 16644==0x4104
410 	 * Subtract for the SMB header (32) and the
411 	 * SMB command word and byte vectors (34?),
412 	 * then round down to a 512 byte multiple.
413 	 */
414 	len = is->is_txmax - 68;
415 	len &= 0xFE00;
416 	/* XXX: Not sure yet which of these to keep. */
417 	is->is_rwmax = len;
418 	is->is_rxmax = len;
419 	is->is_wxmax = len;
420 
421 	return (0);
422 
423 errout:
424 	smb_rq_done(rqp);
425 	if (err == 0)
426 		err = EBADRPC;
427 	return (err);
428 }
429