1 /* 2 * Copyright (c) 2000-2001 Boris Popov 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Boris Popov. 16 * 4. Neither the name of the author nor the names of any co-contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 35 * Copyright 2013 Nexenta Systems, Inc. All rights reserved. 36 */ 37 38 /* 39 * SMB Negotiate Protocol, and related. 40 */ 41 42 #include <errno.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <unistd.h> 46 #include <strings.h> 47 #include <netdb.h> 48 #include <libintl.h> 49 #include <xti.h> 50 #include <assert.h> 51 52 #include <sys/types.h> 53 #include <sys/time.h> 54 #include <sys/byteorder.h> 55 #include <sys/socket.h> 56 #include <sys/fcntl.h> 57 58 #include <netinet/in.h> 59 #include <netinet/tcp.h> 60 #include <arpa/inet.h> 61 62 #include <netsmb/smb.h> 63 #include <netsmb/smb_lib.h> 64 #include <netsmb/netbios.h> 65 #include <netsmb/nb_lib.h> 66 #include <netsmb/smb_dev.h> 67 68 #include "charsets.h" 69 #include "smb_crypt.h" 70 #include "private.h" 71 72 /* 73 * SMB dialects that we know about. 74 */ 75 struct smb_dialect { 76 int d_id; 77 const char *d_name; 78 }; 79 static struct smb_dialect smb_dialects[] = { 80 {SMB_DIALECT_CORE, "PC NETWORK PROGRAM 1.0"}, 81 {SMB_DIALECT_LANMAN1_0, "LANMAN1.0"}, 82 {SMB_DIALECT_LANMAN2_0, "LM1.2X002"}, 83 {SMB_DIALECT_LANMAN2_1, "LANMAN2.1"}, 84 {SMB_DIALECT_NTLM0_12, "NT LM 0.12"}, 85 {-1, NULL} 86 }; 87 88 #define SMB_DIALECT_MAX \ 89 (sizeof (smb_dialects) / sizeof (struct smb_dialect) - 2) 90 91 static const uint32_t smb_clnt_caps_mask = 92 SMB_CAP_UNICODE | 93 SMB_CAP_LARGE_FILES | 94 SMB_CAP_NT_SMBS | 95 SMB_CAP_STATUS32 | 96 SMB_CAP_EXT_SECURITY; 97 98 /* 99 * SMB Negotiate Protocol 100 * Based on code from the driver: smb_smb.c 101 * 102 * If using Extended Security, oblob (output) 103 * will hold the initial security "hint". 104 */ 105 int 106 smb_negprot(struct smb_ctx *ctx, struct mbdata *oblob) 107 { 108 struct smb_sopt *sv = &ctx->ct_sopt; 109 struct smb_iods *is = &ctx->ct_iods; 110 struct smb_rq *rqp; 111 struct mbdata *mbp; 112 struct smb_dialect *dp; 113 int err, len; 114 uint8_t wc, eklen; 115 uint16_t dindex, bc; 116 int will_sign = 0; 117 118 /* 119 * Initialize: vc_hflags and vc_hflags2. 120 * Note: ctx->ct_hflags* are copied into the 121 * (per request) rqp->rq_hflags* by smb_rq_init. 122 * 123 * Like Windows, set FLAGS2_UNICODE in our first request, 124 * even though technically we don't yet know whether the 125 * server supports Unicode. Will clear this flag below 126 * if we find out it doesn't. Need to do this because 127 * some servers reject all non-Unicode requests. 128 */ 129 ctx->ct_hflags = 130 SMB_FLAGS_CASELESS | 131 SMB_FLAGS_CANONICAL_PATHNAMES; 132 ctx->ct_hflags2 = 133 SMB_FLAGS2_KNOWS_LONG_NAMES | 134 SMB_FLAGS2_KNOWS_EAS | 135 /* SMB_FLAGS2_IS_LONG_NAME |? */ 136 /* EXT_SEC (see below) */ 137 SMB_FLAGS2_ERR_STATUS | 138 SMB_FLAGS2_UNICODE; 139 140 /* 141 * Sould we offer extended security? 142 * We'll turn this back off below if 143 * the server doesn't support it. 144 */ 145 if (ctx->ct_vopt & SMBVOPT_EXT_SEC) 146 ctx->ct_hflags2 |= SMB_FLAGS2_EXT_SEC; 147 148 /* 149 * The initial UID needs to be zero, 150 * or Windows XP says "bad user". 151 * The initial TID is all ones, but 152 * we don't use it or store it here 153 * because the driver handles that. 154 */ 155 is->is_smbuid = 0; 156 157 /* 158 * In case we're reconnecting, 159 * free previous stuff. 160 */ 161 ctx->ct_mac_seqno = 0; 162 if (ctx->ct_mackey != NULL) { 163 free(ctx->ct_mackey); 164 ctx->ct_mackey = NULL; 165 ctx->ct_mackeylen = 0; 166 } 167 168 sv = &ctx->ct_sopt; 169 bzero(sv, sizeof (struct smb_sopt)); 170 171 err = smb_rq_init(ctx, SMB_COM_NEGOTIATE, &rqp); 172 if (err) 173 return (err); 174 175 /* 176 * Build the SMB request. 177 */ 178 mbp = &rqp->rq_rq; 179 mb_put_uint8(mbp, 0); /* word count */ 180 smb_rq_bstart(rqp); 181 for (dp = smb_dialects; dp->d_id != -1; dp++) { 182 mb_put_uint8(mbp, SMB_DT_DIALECT); 183 mb_put_astring(mbp, dp->d_name); 184 } 185 smb_rq_bend(rqp); 186 187 /* 188 * This does the OTW call 189 */ 190 err = smb_rq_internal(ctx, rqp); 191 if (err) { 192 DPRINT("call failed, err %d", err); 193 goto errout; 194 } 195 if (rqp->rq_status != 0) { 196 DPRINT("nt status 0x%x", rqp->rq_status); 197 err = EBADRPC; 198 goto errout; 199 } 200 201 /* 202 * Decode the response 203 * 204 * Comments to right show names as described in 205 * The Microsoft SMB Protocol spec. [MS-SMB] 206 * section 2.2.3 207 */ 208 mbp = &rqp->rq_rp; 209 (void) md_get_uint8(mbp, &wc); 210 err = md_get_uint16le(mbp, &dindex); 211 if (err || dindex > SMB_DIALECT_MAX) { 212 DPRINT("err %d dindex %d", err, (int)dindex); 213 goto errout; 214 } 215 dp = smb_dialects + dindex; 216 sv->sv_proto = dp->d_id; 217 DPRINT("Dialect %s", dp->d_name); 218 if (dp->d_id < SMB_DIALECT_NTLM0_12) { 219 /* XXX: User-visible warning too? */ 220 DPRINT("old dialect %s", dp->d_name); 221 goto errout; 222 } 223 if (wc != 17) { 224 DPRINT("bad wc %d", (int)wc); 225 goto errout; 226 } 227 md_get_uint8(mbp, &sv->sv_sm); /* SecurityMode */ 228 md_get_uint16le(mbp, &sv->sv_maxmux); /* MaxMpxCount */ 229 md_get_uint16le(mbp, &sv->sv_maxvcs); /* MaxCountVCs */ 230 md_get_uint32le(mbp, &sv->sv_maxtx); /* MaxBufferSize */ 231 md_get_uint32le(mbp, &sv->sv_maxraw); /* MaxRawSize */ 232 md_get_uint32le(mbp, &sv->sv_skey); /* SessionKey */ 233 md_get_uint32le(mbp, &sv->sv_caps); /* Capabilities */ 234 md_get_mem(mbp, NULL, 8, MB_MSYSTEM); /* SystemTime(s) */ 235 md_get_uint16le(mbp, (uint16_t *)&sv->sv_tz); 236 md_get_uint8(mbp, &eklen); /* EncryptionKeyLength */ 237 err = md_get_uint16le(mbp, &bc); /* ByteCount */ 238 if (err) 239 goto errout; 240 241 /* BEGIN CSTYLED */ 242 /* 243 * Will we do SMB signing? Or block the connection? 244 * The table below describes this logic. References: 245 * [Windows Server Protocols: MS-SMB, sec. 3.2.4.2.3] 246 * http://msdn.microsoft.com/en-us/library/cc212511.aspx 247 * http://msdn.microsoft.com/en-us/library/cc212929.aspx 248 * 249 * Srv/Cli | Required | Enabled | If Required | Disabled 250 * ------------+----------+------------+-------------+----------- 251 * Required | Signed | Signed | Signed | Blocked [1] 252 * ------------+----------+------------+-------------+----------- 253 * Enabled | Signed | Signed | Not Signed | Not Signed 254 * ------------+----------+------------+-------------+----------- 255 * If Required | Signed | Not Signed | Not Signed | Not Signed 256 * ------------+----------+------------+-------------+----------- 257 * Disabled | Blocked | Not Signed | Not Signed | Not Signed 258 * 259 * [1] Like Windows 2003 and later, we don't really implement 260 * the "Disabled" setting. Instead we implement "If Required", 261 * so we always sign if the server requires signing. 262 */ 263 /* END CSTYLED */ 264 265 if (sv->sv_sm & SMB_SM_SIGS_REQUIRE) { 266 /* 267 * Server requires signing. We will sign, 268 * even if local setting is "disabled". 269 */ 270 will_sign = 1; 271 } else if (sv->sv_sm & SMB_SM_SIGS) { 272 /* 273 * Server enables signing (client's option). 274 * If enabled locally, do signing. 275 */ 276 if (ctx->ct_vopt & SMBVOPT_SIGNING_ENABLED) 277 will_sign = 1; 278 /* else not signing. */ 279 } else { 280 /* 281 * Server does not support signing. 282 * If we "require" it, bail now. 283 */ 284 if (ctx->ct_vopt & SMBVOPT_SIGNING_REQUIRED) { 285 DPRINT("Client requires signing " 286 "but server has it disabled."); 287 err = EBADRPC; 288 goto errout; 289 } 290 } 291 292 if (will_sign) { 293 ctx->ct_vcflags |= SMBV_WILL_SIGN; 294 } 295 DPRINT("Security signatures: %d", will_sign); 296 297 /* See comment above re. FLAGS2_UNICODE */ 298 if (sv->sv_caps & SMB_CAP_UNICODE) 299 ctx->ct_vcflags |= SMBV_UNICODE; 300 else 301 ctx->ct_hflags2 &= ~SMB_FLAGS2_UNICODE; 302 303 if ((sv->sv_caps & SMB_CAP_STATUS32) == 0) { 304 /* 305 * They don't do NT error codes. 306 * 307 * If we send requests with 308 * SMB_FLAGS2_ERR_STATUS set in 309 * Flags2, Windows 98, at least, 310 * appears to send replies with that 311 * bit set even though it sends back 312 * DOS error codes. (They probably 313 * just use the request header as 314 * a template for the reply header, 315 * and don't bother clearing that bit.) 316 * 317 * Therefore, we clear that bit in 318 * our vc_hflags2 field. 319 */ 320 ctx->ct_hflags2 &= ~SMB_FLAGS2_ERR_STATUS; 321 } 322 if (dp->d_id == SMB_DIALECT_NTLM0_12 && 323 sv->sv_maxtx < 4096 && 324 (sv->sv_caps & SMB_CAP_NT_SMBS) == 0) { 325 ctx->ct_vcflags |= SMBV_WIN95; 326 DPRINT("Win95 detected"); 327 } 328 329 /* 330 * The rest of the message varies depending on 331 * whether we've negotiated "extended security". 332 * 333 * With extended security, we have: 334 * Server_GUID (length 16) 335 * Security_BLOB 336 * Otherwise we have: 337 * EncryptionKey (length is eklen) 338 * PrimaryDomain 339 */ 340 if (sv->sv_caps & SMB_CAP_EXT_SECURITY) { 341 struct mbuf *m; 342 DPRINT("Ext.Security: yes"); 343 344 /* 345 * Skip the server GUID. 346 */ 347 err = md_get_mem(mbp, NULL, SMB_GUIDLEN, MB_MSYSTEM); 348 if (err) 349 goto errout; 350 /* 351 * Remainder is the security blob. 352 * Note: eklen "must be ignored" [MS-SMB] 353 */ 354 len = (int)bc - SMB_GUIDLEN; 355 if (len < 0) 356 goto errout; 357 358 /* 359 * Get the (optional) SPNEGO "hint". 360 */ 361 err = md_get_mbuf(mbp, len, &m); 362 if (err) 363 goto errout; 364 mb_initm(oblob, m); 365 oblob->mb_count = len; 366 } else { 367 DPRINT("Ext.Security: no"); 368 ctx->ct_hflags2 &= ~SMB_FLAGS2_EXT_SEC; 369 370 /* 371 * Save the "Encryption Key" (the challenge). 372 * 373 * Sanity check: make sure the sec. blob length 374 * isn't bigger than the byte count. 375 */ 376 if (bc < eklen || eklen < NTLM_CHAL_SZ) { 377 err = EBADRPC; 378 goto errout; 379 } 380 err = md_get_mem(mbp, ctx->ct_srv_chal, 381 NTLM_CHAL_SZ, MB_MSYSTEM); 382 /* 383 * Server domain follows (ignored) 384 * Note: NOT aligned(2) - unusual! 385 */ 386 } 387 388 smb_rq_done(rqp); 389 390 /* 391 * A few sanity checks on what we received, 392 * becuse we will send these in ssnsetup. 393 * 394 * Maximum outstanding requests (we care), 395 * and Max. VCs (we only use one). Also, 396 * MaxBufferSize lower limit per spec. 397 */ 398 if (sv->sv_maxmux < 1) 399 sv->sv_maxmux = 1; 400 if (sv->sv_maxvcs < 1) 401 sv->sv_maxvcs = 1; 402 if (sv->sv_maxtx < 1024) 403 sv->sv_maxtx = 1024; 404 405 /* 406 * Maximum transfer size. 407 * Sanity checks: 408 * 409 * Let's be conservative about an upper limit here. 410 * Win2k uses 16644 (and others) so 32k should be a 411 * reasonable sanity limit for this value. 412 * 413 * Note that this limit does NOT affect READX/WRITEX 414 * with CAP_LARGE_..., which we nearly always use. 415 */ 416 is->is_txmax = sv->sv_maxtx; 417 if (is->is_txmax > 0x8000) 418 is->is_txmax = 0x8000; 419 420 /* 421 * Max read/write sizes, WITHOUT overhead. 422 * This is just the payload size, so we must 423 * leave room for the SMB headers, etc. 424 * This is just the ct_txmax value, but 425 * reduced and rounded down. Tricky bit: 426 * 427 * Servers typically give us a value that's 428 * some nice "round" number, i.e 0x4000 plus 429 * some overhead, i.e. Win2k: 16644==0x4104 430 * Subtract for the SMB header (32) and the 431 * SMB command word and byte vectors (34?), 432 * then round down to a 512 byte multiple. 433 */ 434 len = is->is_txmax - 68; 435 len &= 0xFE00; 436 /* XXX: Not sure yet which of these to keep. */ 437 is->is_rwmax = len; 438 is->is_rxmax = len; 439 is->is_wxmax = len; 440 441 /* 442 * Most of the "capability" bits we offer in session setup 443 * are just copied from those offered by the server. 444 */ 445 ctx->ct_clnt_caps = sv->sv_caps & smb_clnt_caps_mask; 446 447 /* Get the client nonce. */ 448 (void) smb_get_urandom(ctx->ct_clnonce, NTLM_CHAL_SZ); 449 450 return (0); 451 452 errout: 453 smb_rq_done(rqp); 454 if (err == 0) 455 err = EBADRPC; 456 return (err); 457 } 458