xref: /titanic_52/usr/src/lib/libsmbfs/smb/negprot.c (revision f38cb554a534c6df738be3f4d23327e69888e634)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 /*
34  * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
35  */
36 
37 /*
38  * SMB Negotiate Protocol, and related.
39  * Copied from the driver: smb_smb.c
40  */
41 
42 #include <errno.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <unistd.h>
46 #include <strings.h>
47 #include <netdb.h>
48 #include <libintl.h>
49 #include <xti.h>
50 #include <assert.h>
51 
52 #include <sys/types.h>
53 #include <sys/time.h>
54 #include <sys/byteorder.h>
55 #include <sys/socket.h>
56 #include <sys/fcntl.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/tcp.h>
60 #include <arpa/inet.h>
61 
62 #include <netsmb/smb.h>
63 #include <netsmb/smb_lib.h>
64 #include <netsmb/netbios.h>
65 #include <netsmb/nb_lib.h>
66 #include <netsmb/smb_dev.h>
67 
68 #include "charsets.h"
69 #include "private.h"
70 
71 /*
72  * SMB dialects that we know about.
73  */
74 struct smb_dialect {
75 	int		d_id;
76 	const char	*d_name;
77 };
78 static struct smb_dialect smb_dialects[] = {
79 	{SMB_DIALECT_CORE,	"PC NETWORK PROGRAM 1.0"},
80 	{SMB_DIALECT_LANMAN1_0,	"LANMAN1.0"},
81 	{SMB_DIALECT_LANMAN2_0,	"LM1.2X002"},
82 	{SMB_DIALECT_LANMAN2_1,	"LANMAN2.1"},
83 	{SMB_DIALECT_NTLM0_12,	"NT LM 0.12"},
84 	{-1,			NULL}
85 };
86 
87 #define	SMB_DIALECT_MAX \
88 	(sizeof (smb_dialects) / sizeof (struct smb_dialect) - 2)
89 
90 /*
91  * SMB Negotiate Protocol
92  * Based on code from the driver: smb_smb.c
93  *
94  * If using Extended Security, oblob (output)
95  * will hold the initial security "hint".
96  */
97 int
98 smb_negprot(struct smb_ctx *ctx, struct mbdata *oblob)
99 {
100 	struct smb_sopt *sv = &ctx->ct_sopt;
101 	struct smb_iods *is = &ctx->ct_iods;
102 	struct smb_rq	*rqp;
103 	struct mbdata	*mbp;
104 	struct smb_dialect *dp;
105 	int err, len;
106 	uint8_t wc, eklen;
107 	uint16_t dindex, bc;
108 	int will_sign = 0;
109 
110 	/*
111 	 * Initialize: vc_hflags and vc_hflags2.
112 	 * Note: ctx->ct_hflags* are copied into the
113 	 * (per request) rqp->rq_hflags* by smb_rq_init.
114 	 *
115 	 * Like Windows, set FLAGS2_UNICODE in our first request,
116 	 * even though technically we don't yet know whether the
117 	 * server supports Unicode.  Will clear this flag below
118 	 * if we find out it doesn't.  Need to do this because
119 	 * some servers reject all non-Unicode requests.
120 	 */
121 	ctx->ct_hflags = SMB_FLAGS_CASELESS;
122 	ctx->ct_hflags2 = SMB_FLAGS2_KNOWS_LONG_NAMES |
123 	    SMB_FLAGS2_ERR_STATUS | SMB_FLAGS2_UNICODE;
124 
125 	/*
126 	 * Sould we offer extended security?
127 	 * We'll turn this back off below if
128 	 * the server doesn't support it.
129 	 */
130 	if (ctx->ct_vopt & SMBVOPT_EXT_SEC)
131 		ctx->ct_hflags2 |= SMB_FLAGS2_EXT_SEC;
132 
133 	/*
134 	 * The initial UID needs to be zero,
135 	 * or Windows XP says "bad user".
136 	 * The initial TID is all ones, but
137 	 * we don't use it or store it here
138 	 * because the driver handles that.
139 	 */
140 	is->is_smbuid = 0;
141 
142 	/*
143 	 * In case we're reconnecting,
144 	 * free previous stuff.
145 	 */
146 	ctx->ct_mac_seqno = 0;
147 	if (ctx->ct_mackey != NULL) {
148 		free(ctx->ct_mackey);
149 		ctx->ct_mackey = NULL;
150 		ctx->ct_mackeylen = 0;
151 	}
152 
153 	sv = &ctx->ct_sopt;
154 	bzero(sv, sizeof (struct smb_sopt));
155 
156 	err = smb_rq_init(ctx, SMB_COM_NEGOTIATE, &rqp);
157 	if (err)
158 		return (err);
159 
160 	/*
161 	 * Build the SMB request.
162 	 */
163 	mbp = &rqp->rq_rq;
164 	mb_put_uint8(mbp, 0);			/* word count */
165 	smb_rq_bstart(rqp);
166 	for (dp = smb_dialects; dp->d_id != -1; dp++) {
167 		mb_put_uint8(mbp, SMB_DT_DIALECT);
168 		mb_put_astring(mbp, dp->d_name);
169 	}
170 	smb_rq_bend(rqp);
171 
172 	/*
173 	 * This does the OTW call
174 	 */
175 	err = smb_rq_internal(ctx, rqp);
176 	if (err) {
177 		DPRINT("call failed, err %d", err);
178 		goto errout;
179 	}
180 	if (rqp->rq_status != 0) {
181 		DPRINT("nt status 0x%x", rqp->rq_status);
182 		err = EBADRPC;
183 		goto errout;
184 	}
185 
186 	/*
187 	 * Decode the response
188 	 *
189 	 * Comments to right show names as described in
190 	 * The Microsoft SMB Protocol spec. [MS-SMB]
191 	 * section 2.2.3
192 	 */
193 	mbp = &rqp->rq_rp;
194 	(void) md_get_uint8(mbp, &wc);
195 	err = md_get_uint16le(mbp, &dindex);
196 	if (err || dindex > SMB_DIALECT_MAX) {
197 		DPRINT("err %d dindex %d", err, (int)dindex);
198 		goto errout;
199 	}
200 	dp = smb_dialects + dindex;
201 	sv->sv_proto = dp->d_id;
202 	DPRINT("Dialect %s", dp->d_name);
203 	if (dp->d_id < SMB_DIALECT_NTLM0_12) {
204 		/* XXX: User-visible warning too? */
205 		DPRINT("old dialect %s", dp->d_name);
206 		goto errout;
207 	}
208 	if (wc != 17) {
209 		DPRINT("bad wc %d", (int)wc);
210 		goto errout;
211 	}
212 	md_get_uint8(mbp, &sv->sv_sm);		/* SecurityMode */
213 	md_get_uint16le(mbp, &sv->sv_maxmux);	/* MaxMpxCount */
214 	md_get_uint16le(mbp, &sv->sv_maxvcs);	/* MaxCountVCs */
215 	md_get_uint32le(mbp, &sv->sv_maxtx);	/* MaxBufferSize */
216 	md_get_uint32le(mbp, &sv->sv_maxraw);	/* MaxRawSize */
217 	md_get_uint32le(mbp, &sv->sv_skey);	/* SessionKey */
218 	md_get_uint32le(mbp, &sv->sv_caps);	/* Capabilities */
219 	md_get_mem(mbp, NULL, 8, MB_MSYSTEM);	/* SystemTime(s) */
220 	md_get_uint16le(mbp, (uint16_t *)&sv->sv_tz);
221 	md_get_uint8(mbp, &eklen);	/* EncryptionKeyLength */
222 	err = md_get_uint16le(mbp, &bc);	/* ByteCount */
223 	if (err)
224 		goto errout;
225 
226 	/* BEGIN CSTYLED */
227 	/*
228 	 * Will we do SMB signing?  Or block the connection?
229 	 * The table below describes this logic.  References:
230 	 * [Windows Server Protocols: MS-SMB, sec. 3.2.4.2.3]
231 	 * http://msdn.microsoft.com/en-us/library/cc212511.aspx
232 	 * http://msdn.microsoft.com/en-us/library/cc212929.aspx
233 	 *
234 	 * Srv/Cli     | Required | Enabled    | If Required | Disabled
235 	 * ------------+----------+------------+-------------+-----------
236 	 * Required    | Signed   | Signed     | Signed      | Blocked [1]
237 	 * ------------+----------+------------+-------------+-----------
238 	 * Enabled     | Signed   | Signed     | Not Signed  | Not Signed
239 	 * ------------+----------+------------+-------------+-----------
240 	 * If Required | Signed   | Not Signed | Not Signed  | Not Signed
241 	 * ------------+----------+------------+-------------+-----------
242 	 * Disabled    | Blocked  | Not Signed | Not Signed  | Not Signed
243 	 *
244 	 * [1] Like Windows 2003 and later, we don't really implement
245 	 * the "Disabled" setting.  Instead we implement "If Required",
246 	 * so we always sign if the server requires signing.
247 	 */
248 	/* END CSTYLED */
249 
250 	if (sv->sv_sm & SMB_SM_SIGS_REQUIRE) {
251 		/*
252 		 * Server requires signing.  We will sign,
253 		 * even if local setting is "disabled".
254 		 */
255 		will_sign = 1;
256 	} else if (sv->sv_sm & SMB_SM_SIGS) {
257 		/*
258 		 * Server enables signing (client's option).
259 		 * If enabled locally, do signing.
260 		 */
261 		if (ctx->ct_vopt & SMBVOPT_SIGNING_ENABLED)
262 			will_sign = 1;
263 		/* else not signing. */
264 	} else {
265 		/*
266 		 * Server does not support signing.
267 		 * If we "require" it, bail now.
268 		 */
269 		if (ctx->ct_vopt & SMBVOPT_SIGNING_REQUIRED) {
270 			DPRINT("Client requires signing "
271 			    "but server has it disabled.");
272 			err = EBADRPC;
273 			goto errout;
274 		}
275 	}
276 
277 	if (will_sign) {
278 		ctx->ct_vcflags |= SMBV_WILL_SIGN;
279 	}
280 	DPRINT("Security signatures: %d", will_sign);
281 
282 	/* See comment above re. FLAGS2_UNICODE */
283 	if (sv->sv_caps & SMB_CAP_UNICODE)
284 		ctx->ct_vcflags |= SMBV_UNICODE;
285 	else
286 		ctx->ct_hflags2 &= ~SMB_FLAGS2_UNICODE;
287 
288 	if ((sv->sv_caps & SMB_CAP_STATUS32) == 0) {
289 		/*
290 		 * They don't do NT error codes.
291 		 *
292 		 * If we send requests with
293 		 * SMB_FLAGS2_ERR_STATUS set in
294 		 * Flags2, Windows 98, at least,
295 		 * appears to send replies with that
296 		 * bit set even though it sends back
297 		 * DOS error codes.  (They probably
298 		 * just use the request header as
299 		 * a template for the reply header,
300 		 * and don't bother clearing that bit.)
301 		 *
302 		 * Therefore, we clear that bit in
303 		 * our vc_hflags2 field.
304 		 */
305 		ctx->ct_hflags2 &= ~SMB_FLAGS2_ERR_STATUS;
306 	}
307 	if (dp->d_id == SMB_DIALECT_NTLM0_12 &&
308 	    sv->sv_maxtx < 4096 &&
309 	    (sv->sv_caps & SMB_CAP_NT_SMBS) == 0) {
310 		ctx->ct_vcflags |= SMBV_WIN95;
311 		DPRINT("Win95 detected");
312 	}
313 
314 	/*
315 	 * The rest of the message varies depending on
316 	 * whether we've negotiated "extended security".
317 	 *
318 	 * With extended security, we have:
319 	 *	Server_GUID	(length 16)
320 	 *	Security_BLOB
321 	 * Otherwise we have:
322 	 *	EncryptionKey (length is eklen)
323 	 *	PrimaryDomain
324 	 */
325 	if (sv->sv_caps & SMB_CAP_EXT_SECURITY) {
326 		struct mbuf *m;
327 		DPRINT("Ext.Security: yes");
328 
329 		/*
330 		 * Skip the server GUID.
331 		 */
332 		err = md_get_mem(mbp, NULL, SMB_GUIDLEN, MB_MSYSTEM);
333 		if (err)
334 			goto errout;
335 		/*
336 		 * Remainder is the security blob.
337 		 * Note: eklen "must be ignored" [MS-SMB]
338 		 */
339 		len = (int)bc - SMB_GUIDLEN;
340 		if (len < 0)
341 			goto errout;
342 
343 		/*
344 		 * Get the (optional) SPNEGO "hint".
345 		 */
346 		err = md_get_mbuf(mbp, len, &m);
347 		if (err)
348 			goto errout;
349 		mb_initm(oblob, m);
350 		oblob->mb_count = len;
351 	} else {
352 		DPRINT("Ext.Security: no");
353 		ctx->ct_hflags2 &= ~SMB_FLAGS2_EXT_SEC;
354 
355 		/*
356 		 * Save the "Encryption Key" (the challenge).
357 		 *
358 		 * Sanity check: make sure the sec. blob length
359 		 * isn't bigger than the byte count.
360 		 */
361 		if (bc < eklen || eklen < NTLM_CHAL_SZ) {
362 			err = EBADRPC;
363 			goto errout;
364 		}
365 		err = md_get_mem(mbp, ctx->ct_ntlm_chal,
366 		    NTLM_CHAL_SZ, MB_MSYSTEM);
367 		/*
368 		 * Server domain follows (ignored)
369 		 * Note: NOT aligned(2) - unusual!
370 		 */
371 	}
372 
373 	smb_rq_done(rqp);
374 
375 	/*
376 	 * A few sanity checks on what we received,
377 	 * becuse we will send these in ssnsetup.
378 	 *
379 	 * Maximum outstanding requests (we care),
380 	 * and Max. VCs (we only use one).  Also,
381 	 * MaxBufferSize lower limit per spec.
382 	 */
383 	if (sv->sv_maxmux < 1)
384 		sv->sv_maxmux = 1;
385 	if (sv->sv_maxvcs < 1)
386 		sv->sv_maxvcs = 1;
387 	if (sv->sv_maxtx < 1024)
388 		sv->sv_maxtx = 1024;
389 
390 	/*
391 	 * Maximum transfer size.
392 	 * Sanity checks:
393 	 *
394 	 * Let's be conservative about an upper limit here.
395 	 * Win2k uses 16644 (and others) so 32k should be a
396 	 * reasonable sanity limit for this value.
397 	 *
398 	 * Note that this limit does NOT affect READX/WRITEX
399 	 * with CAP_LARGE_..., which we nearly always use.
400 	 */
401 	is->is_txmax = sv->sv_maxtx;
402 	if (is->is_txmax > 0x8000)
403 		is->is_txmax = 0x8000;
404 
405 	/*
406 	 * Max read/write sizes, WITHOUT overhead.
407 	 * This is just the payload size, so we must
408 	 * leave room for the SMB headers, etc.
409 	 * This is just the ct_txmax value, but
410 	 * reduced and rounded down.  Tricky bit:
411 	 *
412 	 * Servers typically give us a value that's
413 	 * some nice "round" number, i.e 0x4000 plus
414 	 * some overhead, i.e. Win2k: 16644==0x4104
415 	 * Subtract for the SMB header (32) and the
416 	 * SMB command word and byte vectors (34?),
417 	 * then round down to a 512 byte multiple.
418 	 */
419 	len = is->is_txmax - 68;
420 	len &= 0xFE00;
421 	/* XXX: Not sure yet which of these to keep. */
422 	is->is_rwmax = len;
423 	is->is_rxmax = len;
424 	is->is_wxmax = len;
425 
426 	return (0);
427 
428 errout:
429 	smb_rq_done(rqp);
430 	if (err == 0)
431 		err = EBADRPC;
432 	return (err);
433 }
434