1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * Notes on the virtual circuit (VC) values in the SMB Negotiate
27 * response and SessionSetupAndx request.
28 *
29 * A virtual circuit (VC) represents a connection between a client and a
30 * server using a reliable, session oriented transport protocol, such as
31 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
32 * single underlying transport connection, i.e. a single NetBIOS session,
33 * which limited performance for raw data transfers.
34 *
35 * The intention behind multiple VCs was to improve performance by
36 * allowing parallelism over each NetBIOS session. For example, raw data
37 * could be transmitted using a different VC from other types of SMB
38 * requests to remove the interleaving restriction while a raw transfer
39 * is in progress. So the MaxNumberVcs field was added to the negotiate
40 * response to make the number of VCs configurable and to allow servers
41 * to specify how many they were prepared to support per session
42 * connection. This turned out to be difficult to manage and, with
43 * technology improvements, it has become obsolete.
44 *
45 * Servers should set the MaxNumberVcs value in the Negotiate response
46 * to 1. Clients should probably ignore it. If a server receives a
47 * SessionSetupAndx with a VC value of 0, it should close all other
48 * VCs to that client. If it receives a non-zero VC, it should leave
49 * other VCs in tact.
50 *
51 */
52
53 /*
54 * SMB: negotiate
55 *
56 * Client Request Description
57 * ============================ =======================================
58 *
59 * UCHAR WordCount; Count of parameter words = 0
60 * USHORT ByteCount; Count of data bytes; min = 2
61 * struct {
62 * UCHAR BufferFormat; 0x02 -- Dialect
63 * UCHAR DialectName[]; ASCII null-terminated string
64 * } Dialects[];
65 *
66 * The Client sends a list of dialects that it can communicate with. The
67 * response is a selection of one of those dialects (numbered 0 through n)
68 * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
69 * The negotiate message is binding on the virtual circuit and must be
70 * sent. One and only one negotiate message may be sent, subsequent
71 * negotiate requests will be rejected with an error response and no action
72 * will be taken.
73 *
74 * The protocol does not impose any particular structure to the dialect
75 * strings. Implementors of particular protocols may choose to include,
76 * for example, version numbers in the string.
77 *
78 * If the server does not understand any of the dialect strings, or if PC
79 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
80 *
81 * Server Response Description
82 * ============================ =======================================
83 *
84 * UCHAR WordCount; Count of parameter words = 1
85 * USHORT DialectIndex; Index of selected dialect
86 * USHORT ByteCount; Count of data bytes = 0
87 *
88 * If the chosen dialect is greater than core up to and including
89 * LANMAN2.1, the protocol response format is
90 *
91 * Server Response Description
92 * ============================ =======================================
93 *
94 * UCHAR WordCount; Count of parameter words = 13
95 * USHORT DialectIndex; Index of selected dialect
96 * USHORT SecurityMode; Security mode:
97 * bit 0: 0 = share, 1 = user
98 * bit 1: 1 = use challenge/response
99 * authentication
100 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024)
101 * USHORT MaxMpxCount; Max pending multiplexed requests
102 * USHORT MaxNumberVcs; Max VCs between client and server
103 * USHORT RawMode; Raw modes supported:
104 * bit 0: 1 = Read Raw supported
105 * bit 1: 1 = Write Raw supported
106 * ULONG SessionKey; Unique token identifying this session
107 * SMB_TIME ServerTime; Current time at server
108 * SMB_DATE ServerDate; Current date at server
109 * USHORT ServerTimeZone; Current time zone at server
110 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1
111 * USHORT Reserved; MBZ
112 * USHORT ByteCount Count of data bytes
113 * UCHAR EncryptionKey[]; The challenge encryption key
114 * STRING PrimaryDomain[]; The server's primary domain
115 *
116 * MaxBufferSize is the size of the largest message which the client can
117 * legitimately send to the server
118 *
119 * If bit0 of the Flags field is set in the negotiate response, this
120 * indicates the server supports the SMB_COM_LOCK_AND_READ and
121 * SMB_COM_WRITE_AND_UNLOCK client requests.
122 *
123 * If the SecurityMode field indicates the server is running in user mode,
124 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
125 * before the server will allow the client to access resources. If the
126 * SecurityMode fields indicates the client should use challenge/response
127 * authentication, the client should use the authentication mechanism
128 * specified in section 2.10.
129 *
130 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
131 * to the server when using multiplexed reads or writes (see sections 5.13
132 * and 5.25)
133 *
134 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different
135 * form of raw reads than documented here, and servers are better off
136 * setting RawMode in this response to 0 for such sessions.
137 *
138 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
139 * PrimaryDomain string should be included in this response.
140 *
141 * If the negotiated dialect is NT LM 0.12, the response format is
142 *
143 * Server Response Description
144 * ========================== =========================================
145 *
146 * UCHAR WordCount; Count of parameter words = 17
147 * USHORT DialectIndex; Index of selected dialect
148 * UCHAR SecurityMode; Security mode:
149 * bit 0: 0 = share, 1 = user
150 * bit 1: 1 = encrypt passwords
151 * USHORT MaxMpxCount; Max pending multiplexed requests
152 * USHORT MaxNumberVcs; Max VCs between client and server
153 * ULONG MaxBufferSize; Max transmit buffer size
154 * ULONG MaxRawSize; Maximum raw buffer size
155 * ULONG SessionKey; Unique token identifying this session
156 * ULONG Capabilities; Server capabilities
157 * ULONG SystemTimeLow; System (UTC) time of the server (low).
158 * ULONG SystemTimeHigh; System (UTC) time of the server (high).
159 * USHORT ServerTimeZone; Time zone of server (min from UTC)
160 * UCHAR EncryptionKeyLength; Length of encryption key.
161 * USHORT ByteCount; Count of data bytes
162 * UCHAR EncryptionKey[]; The challenge encryption key
163 * UCHAR OemDomainName[]; The name of the domain (in OEM chars)
164 *
165 * In addition to the definitions above, MaxBufferSize is the size of the
166 * largest message which the client can legitimately send to the server.
167 * If the client is using a connectionless protocol, MaxBufferSize must be
168 * set to the smaller of the server's internal buffer size and the amount
169 * of data which can be placed in a response packet.
170 *
171 * MaxRawSize specifies the maximum message size the server can send or
172 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
173 *
174 * Connectionless clients must set Sid to 0 in the SMB request header.
175 *
176 * Capabilities allows the server to tell the client what it supports.
177 * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
178 * the negotiate response capabilities but it caused problems with
179 * Windows 2000. It is probably not valid, it doesn't appear in the
180 * CIFS spec.
181 *
182 * 4.1.1.1 Errors
183 *
184 * SUCCESS/SUCCESS
185 * ERRSRV/ERRerror
186 */
187 #include <sys/types.h>
188 #include <sys/strsubr.h>
189 #include <sys/socketvar.h>
190 #include <sys/socket.h>
191 #include <sys/random.h>
192 #include <netinet/in.h>
193 #include <smbsrv/smb_kproto.h>
194 #include <smbsrv/smbinfo.h>
195
196 static smb_xlate_t smb_dialect[] = {
197 { DIALECT_UNKNOWN, "DIALECT_UNKNOWN" },
198 { PC_NETWORK_PROGRAM_1_0, "PC NETWORK PROGRAM 1.0" },
199 { PCLAN1_0, "PCLAN1.0" },
200 { MICROSOFT_NETWORKS_1_03, "MICROSOFT NETWORKS 1.03" },
201 { MICROSOFT_NETWORKS_3_0, "MICROSOFT NETWORKS 3.0" },
202 { LANMAN1_0, "LANMAN1.0" },
203 { LM1_2X002, "LM1.2X002" },
204 { DOS_LM1_2X002, "DOS LM1.2X002" },
205 { DOS_LANMAN2_1, "DOS LANMAN2.1" },
206 { LANMAN2_1, "LANMAN2.1" },
207 { Windows_for_Workgroups_3_1a, "Windows for Workgroups 3.1a" },
208 { NT_LM_0_12, "NT LM 0.12" }
209 };
210
211 /*
212 * Maximum buffer size for DOS: chosen to be the same as NT.
213 * Do not change this value, DOS is very sensitive to it.
214 */
215 #define SMB_DOS_MAXBUF 0x1104
216
217 /*
218 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
219 * with other values. DOS 6.1 seems to depend on a window value of 8700 to
220 * send the next set of data. If we return a window value of 40KB, after
221 * sending 8700 bytes of data, it will start the next set of data from 40KB
222 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
223 * September 2000.
224 *
225 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
226 * for a larger TCP window sizei based on observations of Windows 2000 and
227 * performance testing. March 2003.
228 */
229 static uint32_t smb_dos_tcp_rcvbuf = 8700;
230 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */
231
232 static void smb_negotiate_genkey(smb_request_t *);
233 static int smb_xlate_dialect(const char *);
234
235 int smb_cap_passthru = 1;
236
237 smb_sdrc_t
smb_pre_negotiate(smb_request_t * sr)238 smb_pre_negotiate(smb_request_t *sr)
239 {
240 smb_arg_negotiate_t *negprot;
241 int dialect;
242 int pos;
243 int rc = 0;
244
245 negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t));
246 negprot->ni_index = -1;
247 sr->sr_negprot = negprot;
248
249 for (pos = 0; smbsr_decode_data_avail(sr); pos++) {
250 if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) {
251 smbsr_error(sr, 0, ERRSRV, ERRerror);
252 rc = -1;
253 break;
254 }
255
256 if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0)
257 continue;
258
259 if (negprot->ni_dialect < dialect) {
260 negprot->ni_dialect = dialect;
261 negprot->ni_index = pos;
262 }
263 }
264
265 DTRACE_SMB_2(op__Negotiate__start, smb_request_t *, sr,
266 smb_arg_negotiate_t, negprot);
267 smb_rwx_rwenter(&sr->session->s_lock, RW_WRITER);
268 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
269 }
270
271 void
smb_post_negotiate(smb_request_t * sr)272 smb_post_negotiate(smb_request_t *sr)
273 {
274 smb_arg_negotiate_t *negprot = sr->sr_negprot;
275
276 DTRACE_SMB_2(op__Negotiate__done, smb_request_t *, sr,
277 smb_arg_negotiate_t, negprot);
278 smb_rwx_rwexit(&sr->session->s_lock);
279
280 bzero(negprot, sizeof (smb_arg_negotiate_t));
281 }
282
283 smb_sdrc_t
smb_com_negotiate(smb_request_t * sr)284 smb_com_negotiate(smb_request_t *sr)
285 {
286 smb_arg_negotiate_t *negprot = sr->sr_negprot;
287 uint16_t secmode;
288 uint16_t rawmode = 0;
289 uint32_t sesskey;
290 char ipaddr_buf[INET6_ADDRSTRLEN];
291 char *nbdomain;
292 uint8_t *wcbuf;
293 int wclen;
294 smb_msgbuf_t mb;
295 int rc;
296
297 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
298 /* The protocol has already been negotiated. */
299 smbsr_error(sr, 0, ERRSRV, ERRerror);
300 return (SDRC_ERROR);
301 }
302
303 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE |
304 NEGOTIATE_SECURITY_USER_LEVEL;
305 secmode = sr->session->secmode;
306
307 smb_negotiate_genkey(sr);
308 sesskey = sr->session->sesskey;
309
310 (void) microtime(&negprot->ni_servertime);
311 negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
312 negprot->ni_maxmpxcount = sr->sr_cfg->skc_maxworkers;
313 nbdomain = sr->sr_cfg->skc_nbdomain;
314
315 /*
316 * UNICODE support is required for long share names,
317 * long file names and streams.
318 */
319 negprot->ni_capabilities = CAP_LARGE_FILES
320 | CAP_UNICODE
321 | CAP_NT_SMBS
322 | CAP_STATUS32
323 | CAP_NT_FIND
324 | CAP_LEVEL_II_OPLOCKS
325 | CAP_LOCK_AND_READ
326 | CAP_RPC_REMOTE_APIS
327 | CAP_LARGE_READX
328 | CAP_LARGE_WRITEX
329 | CAP_DFS;
330
331 if (smb_raw_mode) {
332 negprot->ni_capabilities |= CAP_RAW_MODE;
333 rawmode = 3;
334 }
335
336 if (smb_cap_passthru)
337 negprot->ni_capabilities |= CAP_INFOLEVEL_PASSTHRU;
338 else
339 cmn_err(CE_NOTE, "smbsrv: cap passthru is %s",
340 (negprot->ni_capabilities & CAP_INFOLEVEL_PASSTHRU) ?
341 "enabled" : "disabled");
342
343 (void) smb_inet_ntop(&sr->session->ipaddr, ipaddr_buf,
344 SMB_IPSTRLEN(sr->session->ipaddr.a_family));
345
346 switch (negprot->ni_dialect) {
347 case PC_NETWORK_PROGRAM_1_0: /* core */
348 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
349 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
350 sizeof (smb_dos_tcp_rcvbuf), CRED());
351 rc = smbsr_encode_result(sr, 1, 0, "bww", 1,
352 negprot->ni_index, 0);
353 break;
354
355 case Windows_for_Workgroups_3_1a:
356 case PCLAN1_0:
357 case MICROSOFT_NETWORKS_1_03:
358 case MICROSOFT_NETWORKS_3_0:
359 case LANMAN1_0:
360 case LM1_2X002:
361 case DOS_LM1_2X002:
362 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
363 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
364 sizeof (smb_dos_tcp_rcvbuf), CRED());
365 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
366 rc = smbsr_encode_result(sr, 13, VAR_BCC,
367 "bwwwwwwlYww2.w#c",
368 13, /* wct */
369 negprot->ni_index, /* dialect index */
370 secmode, /* security mode */
371 SMB_DOS_MAXBUF, /* max buffer size */
372 1, /* max MPX */
373 1, /* max VCs */
374 rawmode, /* read/write raw (s/b 3) */
375 sesskey, /* session key */
376 negprot->ni_servertime.tv_sec, /* server date/time */
377 negprot->ni_tzcorrection,
378 (uint16_t)negprot->ni_keylen, /* encryption key length */
379 /* reserved field handled 2. */
380 VAR_BCC,
381 (int)negprot->ni_keylen,
382 negprot->ni_key); /* encryption key */
383 break;
384
385 case DOS_LANMAN2_1:
386 case LANMAN2_1:
387 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
388 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
389 sizeof (smb_dos_tcp_rcvbuf), CRED());
390 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
391 rc = smbsr_encode_result(sr, 13, VAR_BCC,
392 "bwwwwwwlYww2.w#cs",
393 13, /* wct */
394 negprot->ni_index, /* dialect index */
395 secmode, /* security mode */
396 SMB_DOS_MAXBUF, /* max buffer size */
397 1, /* max MPX */
398 1, /* max VCs */
399 rawmode, /* read/write raw (s/b 3) */
400 sesskey, /* session key */
401 negprot->ni_servertime.tv_sec, /* server date/time */
402 negprot->ni_tzcorrection,
403 (uint16_t)negprot->ni_keylen, /* encryption key length */
404 /* reserved field handled 2. */
405 VAR_BCC,
406 (int)negprot->ni_keylen,
407 negprot->ni_key, /* encryption key */
408 nbdomain);
409 break;
410
411 case NT_LM_0_12:
412 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
413 SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
414 sizeof (smb_nt_tcp_rcvbuf), CRED());
415
416 /*
417 * Turn off Extended Security Negotiation
418 */
419 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
420
421 /*
422 * Allow SMB signatures if security challenge response enabled
423 */
424 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
425 sr->sr_cfg->skc_signing_enable) {
426 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
427 if (sr->sr_cfg->skc_signing_required)
428 secmode |=
429 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
430
431 sr->session->secmode = secmode;
432 }
433
434 /*
435 * nbdomain is not expected to be aligned.
436 * Use temporary buffer to avoid alignment padding
437 */
438 wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t);
439 wcbuf = smb_srm_zalloc(sr, wclen);
440 smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE);
441 if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) {
442 smb_msgbuf_term(&mb);
443 smbsr_error(sr, 0, ERRSRV, ERRerror);
444 return (SDRC_ERROR);
445 }
446
447 rc = smbsr_encode_result(sr, 17, VAR_BCC,
448 "bwbwwllllTwbw#c#c",
449 17, /* wct */
450 negprot->ni_index, /* dialect index */
451 secmode, /* security mode */
452 negprot->ni_maxmpxcount, /* max MPX */
453 1, /* max VCs */
454 (DWORD)smb_maxbufsize, /* max buffer size */
455 0xFFFF, /* max raw size */
456 sesskey, /* session key */
457 negprot->ni_capabilities,
458 &negprot->ni_servertime, /* system time */
459 negprot->ni_tzcorrection,
460 negprot->ni_keylen, /* encryption key length */
461 VAR_BCC,
462 (int)negprot->ni_keylen,
463 negprot->ni_key, /* encryption key */
464 wclen,
465 wcbuf); /* nbdomain (unicode) */
466
467 smb_msgbuf_term(&mb);
468 break;
469
470 default:
471 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0);
472 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
473 }
474
475 if (rc != 0)
476 return (SDRC_ERROR);
477
478 /*
479 * Save the agreed dialect. Note that this value is also
480 * used to detect and reject attempts to re-negotiate.
481 */
482 sr->session->dialect = negprot->ni_dialect;
483 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
484 return (SDRC_SUCCESS);
485 }
486
487 static void
smb_negotiate_genkey(smb_request_t * sr)488 smb_negotiate_genkey(smb_request_t *sr)
489 {
490 smb_arg_negotiate_t *negprot = sr->sr_negprot;
491 uint8_t tmp_key[8];
492
493 (void) random_get_pseudo_bytes(tmp_key, 8);
494 bcopy(tmp_key, &sr->session->challenge_key, 8);
495 sr->session->challenge_len = 8;
496 negprot->ni_keylen = 8;
497 bcopy(tmp_key, negprot->ni_key, 8);
498
499 (void) random_get_pseudo_bytes(tmp_key, 4);
500 sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
501 tmp_key[2] << 16 | tmp_key[3] << 24;
502 }
503
504 static int
smb_xlate_dialect(const char * dialect)505 smb_xlate_dialect(const char *dialect)
506 {
507 smb_xlate_t *dp;
508 int i;
509
510 for (i = 0; i < sizeof (smb_dialect) / sizeof (smb_dialect[0]); ++i) {
511 dp = &smb_dialect[i];
512
513 if (strcmp(dp->str, dialect) == 0)
514 return (dp->code);
515 }
516
517 return (-1);
518 }
519