1 /*
2 * Copyright (c) 2000-2001 Boris Popov
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Boris Popov.
16 * 4. Neither the name of the author nor the names of any co-contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
35 */
36
37 /*
38 * SMB Negotiate Protocol, and related.
39 * Copied from the driver: smb_smb.c
40 */
41
42 #include <errno.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <unistd.h>
46 #include <strings.h>
47 #include <netdb.h>
48 #include <libintl.h>
49 #include <xti.h>
50 #include <assert.h>
51
52 #include <sys/types.h>
53 #include <sys/time.h>
54 #include <sys/byteorder.h>
55 #include <sys/socket.h>
56 #include <sys/fcntl.h>
57
58 #include <netinet/in.h>
59 #include <netinet/tcp.h>
60 #include <arpa/inet.h>
61
62 #include <netsmb/smb.h>
63 #include <netsmb/smb_lib.h>
64 #include <netsmb/netbios.h>
65 #include <netsmb/nb_lib.h>
66 #include <netsmb/smb_dev.h>
67
68 #include "charsets.h"
69 #include "private.h"
70
71 /*
72 * SMB dialects that we know about.
73 */
74 struct smb_dialect {
75 int d_id;
76 const char *d_name;
77 };
78 static struct smb_dialect smb_dialects[] = {
79 {SMB_DIALECT_CORE, "PC NETWORK PROGRAM 1.0"},
80 {SMB_DIALECT_LANMAN1_0, "LANMAN1.0"},
81 {SMB_DIALECT_LANMAN2_0, "LM1.2X002"},
82 {SMB_DIALECT_LANMAN2_1, "LANMAN2.1"},
83 {SMB_DIALECT_NTLM0_12, "NT LM 0.12"},
84 {-1, NULL}
85 };
86
87 #define SMB_DIALECT_MAX \
88 (sizeof (smb_dialects) / sizeof (struct smb_dialect) - 2)
89
90 /*
91 * SMB Negotiate Protocol
92 * Based on code from the driver: smb_smb.c
93 *
94 * If using Extended Security, oblob (output)
95 * will hold the initial security "hint".
96 */
97 int
smb_negprot(struct smb_ctx * ctx,struct mbdata * oblob)98 smb_negprot(struct smb_ctx *ctx, struct mbdata *oblob)
99 {
100 struct smb_sopt *sv = &ctx->ct_sopt;
101 struct smb_iods *is = &ctx->ct_iods;
102 struct smb_rq *rqp;
103 struct mbdata *mbp;
104 struct smb_dialect *dp;
105 int err, len;
106 uint8_t wc, eklen;
107 uint16_t dindex, bc;
108 int will_sign = 0;
109
110 /*
111 * Initialize: vc_hflags and vc_hflags2.
112 * Note: ctx->ct_hflags* are copied into the
113 * (per request) rqp->rq_hflags* by smb_rq_init.
114 *
115 * Like Windows, set FLAGS2_UNICODE in our first request,
116 * even though technically we don't yet know whether the
117 * server supports Unicode. Will clear this flag below
118 * if we find out it doesn't. Need to do this because
119 * some servers reject all non-Unicode requests.
120 */
121 ctx->ct_hflags = SMB_FLAGS_CASELESS;
122 ctx->ct_hflags2 = SMB_FLAGS2_KNOWS_LONG_NAMES |
123 SMB_FLAGS2_ERR_STATUS | SMB_FLAGS2_UNICODE;
124
125 /*
126 * Sould we offer extended security?
127 * We'll turn this back off below if
128 * the server doesn't support it.
129 */
130 if (ctx->ct_vopt & SMBVOPT_EXT_SEC)
131 ctx->ct_hflags2 |= SMB_FLAGS2_EXT_SEC;
132
133 /*
134 * The initial UID needs to be zero,
135 * or Windows XP says "bad user".
136 * The initial TID is all ones, but
137 * we don't use it or store it here
138 * because the driver handles that.
139 */
140 is->is_smbuid = 0;
141
142 /*
143 * In case we're reconnecting,
144 * free previous stuff.
145 */
146 ctx->ct_mac_seqno = 0;
147 if (ctx->ct_mackey != NULL) {
148 free(ctx->ct_mackey);
149 ctx->ct_mackey = NULL;
150 ctx->ct_mackeylen = 0;
151 }
152
153 sv = &ctx->ct_sopt;
154 bzero(sv, sizeof (struct smb_sopt));
155
156 err = smb_rq_init(ctx, SMB_COM_NEGOTIATE, &rqp);
157 if (err)
158 return (err);
159
160 /*
161 * Build the SMB request.
162 */
163 mbp = &rqp->rq_rq;
164 mb_put_uint8(mbp, 0); /* word count */
165 smb_rq_bstart(rqp);
166 for (dp = smb_dialects; dp->d_id != -1; dp++) {
167 mb_put_uint8(mbp, SMB_DT_DIALECT);
168 mb_put_astring(mbp, dp->d_name);
169 }
170 smb_rq_bend(rqp);
171
172 /*
173 * This does the OTW call
174 */
175 err = smb_rq_internal(ctx, rqp);
176 if (err) {
177 DPRINT("call failed, err %d", err);
178 goto errout;
179 }
180 if (rqp->rq_status != 0) {
181 DPRINT("nt status 0x%x", rqp->rq_status);
182 err = EBADRPC;
183 goto errout;
184 }
185
186 /*
187 * Decode the response
188 *
189 * Comments to right show names as described in
190 * The Microsoft SMB Protocol spec. [MS-SMB]
191 * section 2.2.3
192 */
193 mbp = &rqp->rq_rp;
194 (void) md_get_uint8(mbp, &wc);
195 err = md_get_uint16le(mbp, &dindex);
196 if (err || dindex > SMB_DIALECT_MAX) {
197 DPRINT("err %d dindex %d", err, (int)dindex);
198 goto errout;
199 }
200 dp = smb_dialects + dindex;
201 sv->sv_proto = dp->d_id;
202 DPRINT("Dialect %s", dp->d_name);
203 if (dp->d_id < SMB_DIALECT_NTLM0_12) {
204 /* XXX: User-visible warning too? */
205 DPRINT("old dialect %s", dp->d_name);
206 goto errout;
207 }
208 if (wc != 17) {
209 DPRINT("bad wc %d", (int)wc);
210 goto errout;
211 }
212 md_get_uint8(mbp, &sv->sv_sm); /* SecurityMode */
213 md_get_uint16le(mbp, &sv->sv_maxmux); /* MaxMpxCount */
214 md_get_uint16le(mbp, &sv->sv_maxvcs); /* MaxCountVCs */
215 md_get_uint32le(mbp, &sv->sv_maxtx); /* MaxBufferSize */
216 md_get_uint32le(mbp, &sv->sv_maxraw); /* MaxRawSize */
217 md_get_uint32le(mbp, &sv->sv_skey); /* SessionKey */
218 md_get_uint32le(mbp, &sv->sv_caps); /* Capabilities */
219 md_get_mem(mbp, NULL, 8, MB_MSYSTEM); /* SystemTime(s) */
220 md_get_uint16le(mbp, (uint16_t *)&sv->sv_tz);
221 md_get_uint8(mbp, &eklen); /* EncryptionKeyLength */
222 err = md_get_uint16le(mbp, &bc); /* ByteCount */
223 if (err)
224 goto errout;
225
226 /* BEGIN CSTYLED */
227 /*
228 * Will we do SMB signing? Or block the connection?
229 * The table below describes this logic. References:
230 * [Windows Server Protocols: MS-SMB, sec. 3.2.4.2.3]
231 * http://msdn.microsoft.com/en-us/library/cc212511.aspx
232 * http://msdn.microsoft.com/en-us/library/cc212929.aspx
233 *
234 * Srv/Cli | Required | Enabled | If Required | Disabled
235 * ------------+----------+------------+-------------+-----------
236 * Required | Signed | Signed | Signed | Blocked [1]
237 * ------------+----------+------------+-------------+-----------
238 * Enabled | Signed | Signed | Not Signed | Not Signed
239 * ------------+----------+------------+-------------+-----------
240 * If Required | Signed | Not Signed | Not Signed | Not Signed
241 * ------------+----------+------------+-------------+-----------
242 * Disabled | Blocked | Not Signed | Not Signed | Not Signed
243 *
244 * [1] Like Windows 2003 and later, we don't really implement
245 * the "Disabled" setting. Instead we implement "If Required",
246 * so we always sign if the server requires signing.
247 */
248 /* END CSTYLED */
249
250 if (sv->sv_sm & SMB_SM_SIGS_REQUIRE) {
251 /*
252 * Server requires signing. We will sign,
253 * even if local setting is "disabled".
254 */
255 will_sign = 1;
256 } else if (sv->sv_sm & SMB_SM_SIGS) {
257 /*
258 * Server enables signing (client's option).
259 * If enabled locally, do signing.
260 */
261 if (ctx->ct_vopt & SMBVOPT_SIGNING_ENABLED)
262 will_sign = 1;
263 /* else not signing. */
264 } else {
265 /*
266 * Server does not support signing.
267 * If we "require" it, bail now.
268 */
269 if (ctx->ct_vopt & SMBVOPT_SIGNING_REQUIRED) {
270 DPRINT("Client requires signing "
271 "but server has it disabled.");
272 err = EBADRPC;
273 goto errout;
274 }
275 }
276
277 if (will_sign) {
278 ctx->ct_vcflags |= SMBV_WILL_SIGN;
279 }
280 DPRINT("Security signatures: %d", will_sign);
281
282 /* See comment above re. FLAGS2_UNICODE */
283 if (sv->sv_caps & SMB_CAP_UNICODE)
284 ctx->ct_vcflags |= SMBV_UNICODE;
285 else
286 ctx->ct_hflags2 &= ~SMB_FLAGS2_UNICODE;
287
288 if ((sv->sv_caps & SMB_CAP_STATUS32) == 0) {
289 /*
290 * They don't do NT error codes.
291 *
292 * If we send requests with
293 * SMB_FLAGS2_ERR_STATUS set in
294 * Flags2, Windows 98, at least,
295 * appears to send replies with that
296 * bit set even though it sends back
297 * DOS error codes. (They probably
298 * just use the request header as
299 * a template for the reply header,
300 * and don't bother clearing that bit.)
301 *
302 * Therefore, we clear that bit in
303 * our vc_hflags2 field.
304 */
305 ctx->ct_hflags2 &= ~SMB_FLAGS2_ERR_STATUS;
306 }
307 if (dp->d_id == SMB_DIALECT_NTLM0_12 &&
308 sv->sv_maxtx < 4096 &&
309 (sv->sv_caps & SMB_CAP_NT_SMBS) == 0) {
310 ctx->ct_vcflags |= SMBV_WIN95;
311 DPRINT("Win95 detected");
312 }
313
314 /*
315 * The rest of the message varies depending on
316 * whether we've negotiated "extended security".
317 *
318 * With extended security, we have:
319 * Server_GUID (length 16)
320 * Security_BLOB
321 * Otherwise we have:
322 * EncryptionKey (length is eklen)
323 * PrimaryDomain
324 */
325 if (sv->sv_caps & SMB_CAP_EXT_SECURITY) {
326 struct mbuf *m;
327 DPRINT("Ext.Security: yes");
328
329 /*
330 * Skip the server GUID.
331 */
332 err = md_get_mem(mbp, NULL, SMB_GUIDLEN, MB_MSYSTEM);
333 if (err)
334 goto errout;
335 /*
336 * Remainder is the security blob.
337 * Note: eklen "must be ignored" [MS-SMB]
338 */
339 len = (int)bc - SMB_GUIDLEN;
340 if (len < 0)
341 goto errout;
342
343 /*
344 * Get the (optional) SPNEGO "hint".
345 */
346 err = md_get_mbuf(mbp, len, &m);
347 if (err)
348 goto errout;
349 mb_initm(oblob, m);
350 oblob->mb_count = len;
351 } else {
352 DPRINT("Ext.Security: no");
353 ctx->ct_hflags2 &= ~SMB_FLAGS2_EXT_SEC;
354
355 /*
356 * Save the "Encryption Key" (the challenge).
357 *
358 * Sanity check: make sure the sec. blob length
359 * isn't bigger than the byte count.
360 */
361 if (bc < eklen || eklen < NTLM_CHAL_SZ) {
362 err = EBADRPC;
363 goto errout;
364 }
365 err = md_get_mem(mbp, ctx->ct_ntlm_chal,
366 NTLM_CHAL_SZ, MB_MSYSTEM);
367 /*
368 * Server domain follows (ignored)
369 * Note: NOT aligned(2) - unusual!
370 */
371 }
372
373 smb_rq_done(rqp);
374
375 /*
376 * A few sanity checks on what we received,
377 * becuse we will send these in ssnsetup.
378 *
379 * Maximum outstanding requests (we care),
380 * and Max. VCs (we only use one). Also,
381 * MaxBufferSize lower limit per spec.
382 */
383 if (sv->sv_maxmux < 1)
384 sv->sv_maxmux = 1;
385 if (sv->sv_maxvcs < 1)
386 sv->sv_maxvcs = 1;
387 if (sv->sv_maxtx < 1024)
388 sv->sv_maxtx = 1024;
389
390 /*
391 * Maximum transfer size.
392 * Sanity checks:
393 *
394 * Let's be conservative about an upper limit here.
395 * Win2k uses 16644 (and others) so 32k should be a
396 * reasonable sanity limit for this value.
397 *
398 * Note that this limit does NOT affect READX/WRITEX
399 * with CAP_LARGE_..., which we nearly always use.
400 */
401 is->is_txmax = sv->sv_maxtx;
402 if (is->is_txmax > 0x8000)
403 is->is_txmax = 0x8000;
404
405 /*
406 * Max read/write sizes, WITHOUT overhead.
407 * This is just the payload size, so we must
408 * leave room for the SMB headers, etc.
409 * This is just the ct_txmax value, but
410 * reduced and rounded down. Tricky bit:
411 *
412 * Servers typically give us a value that's
413 * some nice "round" number, i.e 0x4000 plus
414 * some overhead, i.e. Win2k: 16644==0x4104
415 * Subtract for the SMB header (32) and the
416 * SMB command word and byte vectors (34?),
417 * then round down to a 512 byte multiple.
418 */
419 len = is->is_txmax - 68;
420 len &= 0xFE00;
421 /* XXX: Not sure yet which of these to keep. */
422 is->is_rwmax = len;
423 is->is_rxmax = len;
424 is->is_wxmax = len;
425
426 return (0);
427
428 errout:
429 smb_rq_done(rqp);
430 if (err == 0)
431 err = EBADRPC;
432 return (err);
433 }
434