libsmbfs/smb/negprot.c

*10023SGordon.Ross@Sun.COM/*
*10023SGordon.Ross@Sun.COM * Copyright (c) 2000-2001 Boris Popov
*10023SGordon.Ross@Sun.COM * All rights reserved.
*10023SGordon.Ross@Sun.COM *
*10023SGordon.Ross@Sun.COM * Redistribution and use in source and binary forms, with or without
*10023SGordon.Ross@Sun.COM * modification, are permitted provided that the following conditions
*10023SGordon.Ross@Sun.COM * are met:
*10023SGordon.Ross@Sun.COM * 1. Redistributions of source code must retain the above copyright
*10023SGordon.Ross@Sun.COM *    notice, this list of conditions and the following disclaimer.
*10023SGordon.Ross@Sun.COM * 2. Redistributions in binary form must reproduce the above copyright
*10023SGordon.Ross@Sun.COM *    notice, this list of conditions and the following disclaimer in the
*10023SGordon.Ross@Sun.COM *    documentation and/or other materials provided with the distribution.
*10023SGordon.Ross@Sun.COM * 3. All advertising materials mentioning features or use of this software
*10023SGordon.Ross@Sun.COM *    must display the following acknowledgement:
*10023SGordon.Ross@Sun.COM *    This product includes software developed by Boris Popov.
*10023SGordon.Ross@Sun.COM * 4. Neither the name of the author nor the names of any co-contributors
*10023SGordon.Ross@Sun.COM *    may be used to endorse or promote products derived from this software
*10023SGordon.Ross@Sun.COM *    without specific prior written permission.
*10023SGordon.Ross@Sun.COM *
*10023SGordon.Ross@Sun.COM * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
*10023SGordon.Ross@Sun.COM * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
*10023SGordon.Ross@Sun.COM * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
*10023SGordon.Ross@Sun.COM * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
*10023SGordon.Ross@Sun.COM * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
*10023SGordon.Ross@Sun.COM * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
*10023SGordon.Ross@Sun.COM * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
*10023SGordon.Ross@Sun.COM * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
*10023SGordon.Ross@Sun.COM * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
*10023SGordon.Ross@Sun.COM * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
*10023SGordon.Ross@Sun.COM * SUCH DAMAGE.
*10023SGordon.Ross@Sun.COM */
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM/*
*10023SGordon.Ross@Sun.COM * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
*10023SGordon.Ross@Sun.COM * Use is subject to license terms.
*10023SGordon.Ross@Sun.COM */
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM/*
*10023SGordon.Ross@Sun.COM * SMB Negotiate Protocol, and related.
*10023SGordon.Ross@Sun.COM * Copied from the driver: smb_smb.c
*10023SGordon.Ross@Sun.COM */
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM#include <errno.h>
*10023SGordon.Ross@Sun.COM#include <stdio.h>
*10023SGordon.Ross@Sun.COM#include <stdlib.h>
*10023SGordon.Ross@Sun.COM#include <unistd.h>
*10023SGordon.Ross@Sun.COM#include <strings.h>
*10023SGordon.Ross@Sun.COM#include <netdb.h>
*10023SGordon.Ross@Sun.COM#include <libintl.h>
*10023SGordon.Ross@Sun.COM#include <xti.h>
*10023SGordon.Ross@Sun.COM#include <assert.h>
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM#include <sys/types.h>
*10023SGordon.Ross@Sun.COM#include <sys/time.h>
*10023SGordon.Ross@Sun.COM#include <sys/byteorder.h>
*10023SGordon.Ross@Sun.COM#include <sys/socket.h>
*10023SGordon.Ross@Sun.COM#include <sys/fcntl.h>
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM#include <netinet/in.h>
*10023SGordon.Ross@Sun.COM#include <netinet/tcp.h>
*10023SGordon.Ross@Sun.COM#include <arpa/inet.h>
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM#include <netsmb/smb.h>
*10023SGordon.Ross@Sun.COM#include <netsmb/smb_lib.h>
*10023SGordon.Ross@Sun.COM#include <netsmb/netbios.h>
*10023SGordon.Ross@Sun.COM#include <netsmb/nb_lib.h>
*10023SGordon.Ross@Sun.COM#include <netsmb/smb_dev.h>
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM#include "charsets.h"
*10023SGordon.Ross@Sun.COM#include "private.h"
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM/*
*10023SGordon.Ross@Sun.COM * SMB dialects that we know about.
*10023SGordon.Ross@Sun.COM */
*10023SGordon.Ross@Sun.COMstruct smb_dialect {
*10023SGordon.Ross@Sun.COM	int		d_id;
*10023SGordon.Ross@Sun.COM	const char	*d_name;
*10023SGordon.Ross@Sun.COM};
*10023SGordon.Ross@Sun.COMstatic struct smb_dialect smb_dialects[] = {
*10023SGordon.Ross@Sun.COM	{SMB_DIALECT_CORE,	"PC NETWORK PROGRAM 1.0"},
*10023SGordon.Ross@Sun.COM	{SMB_DIALECT_LANMAN1_0,	"LANMAN1.0"},
*10023SGordon.Ross@Sun.COM	{SMB_DIALECT_LANMAN2_0,	"LM1.2X002"},
*10023SGordon.Ross@Sun.COM	{SMB_DIALECT_LANMAN2_1,	"LANMAN2.1"},
*10023SGordon.Ross@Sun.COM	{SMB_DIALECT_NTLM0_12,	"NT LM 0.12"},
*10023SGordon.Ross@Sun.COM	{-1,			NULL}
*10023SGordon.Ross@Sun.COM};
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM#define	SMB_DIALECT_MAX \
*10023SGordon.Ross@Sun.COM	(sizeof (smb_dialects) / sizeof (struct smb_dialect) - 2)
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM/*
*10023SGordon.Ross@Sun.COM * SMB Negotiate Protocol
*10023SGordon.Ross@Sun.COM * Based on code from the driver: smb_smb.c
*10023SGordon.Ross@Sun.COM *
*10023SGordon.Ross@Sun.COM * If using Extended Security, oblob (output)
*10023SGordon.Ross@Sun.COM * will hold the initial security "hint".
*10023SGordon.Ross@Sun.COM */
*10023SGordon.Ross@Sun.COMint
*10023SGordon.Ross@Sun.COMsmb_negprot(struct smb_ctx *ctx, struct mbdata *oblob)
*10023SGordon.Ross@Sun.COM{
*10023SGordon.Ross@Sun.COM	struct smb_sopt *sv = &ctx->ct_sopt;
*10023SGordon.Ross@Sun.COM	struct smb_iods *is = &ctx->ct_iods;
*10023SGordon.Ross@Sun.COM	struct smb_rq	*rqp;
*10023SGordon.Ross@Sun.COM	struct mbdata	*mbp;
*10023SGordon.Ross@Sun.COM	struct smb_dialect *dp;
*10023SGordon.Ross@Sun.COM	int err, len;
*10023SGordon.Ross@Sun.COM	uint8_t wc, stime[8], eklen;
*10023SGordon.Ross@Sun.COM	uint16_t dindex, bc;
*10023SGordon.Ross@Sun.COM	int will_sign = 0;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Initialize: vc_hflags and vc_hflags2.
*10023SGordon.Ross@Sun.COM	 * Note: ctx->ct_hflags* are copied into the
*10023SGordon.Ross@Sun.COM	 * (per request) rqp->rq_hflags* by smb_rq_init,
*10023SGordon.Ross@Sun.COM	 * so changing them after that call will not
*10023SGordon.Ross@Sun.COM	 * affect THIS request.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	ctx->ct_hflags = SMB_FLAGS_CASELESS;
*10023SGordon.Ross@Sun.COM	ctx->ct_hflags2 = (SMB_FLAGS2_ERR_STATUS |
*10023SGordon.Ross@Sun.COM	    SMB_FLAGS2_KNOWS_LONG_NAMES);
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Sould we offer extended security?
*10023SGordon.Ross@Sun.COM	 * We'll turn this back off below if
*10023SGordon.Ross@Sun.COM	 * the server doesn't support it.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	if (ctx->ct_vopt & SMBVOPT_EXT_SEC)
*10023SGordon.Ross@Sun.COM		ctx->ct_hflags2 |= SMB_FLAGS2_EXT_SEC;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * The initial UID needs to be zero,
*10023SGordon.Ross@Sun.COM	 * or Windows XP says "bad user".
*10023SGordon.Ross@Sun.COM	 * The initial TID is all ones, but
*10023SGordon.Ross@Sun.COM	 * we don't use it or store it here
*10023SGordon.Ross@Sun.COM	 * because the driver handles that.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	is->is_smbuid = 0;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * In case we're reconnecting,
*10023SGordon.Ross@Sun.COM	 * free previous stuff.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	ctx->ct_mac_seqno = 0;
*10023SGordon.Ross@Sun.COM	if (ctx->ct_mackey != NULL) {
*10023SGordon.Ross@Sun.COM		free(ctx->ct_mackey);
*10023SGordon.Ross@Sun.COM		ctx->ct_mackey = NULL;
*10023SGordon.Ross@Sun.COM		ctx->ct_mackeylen = 0;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	sv = &ctx->ct_sopt;
*10023SGordon.Ross@Sun.COM	bzero(sv, sizeof (struct smb_sopt));
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	err = smb_rq_init(ctx, SMB_COM_NEGOTIATE, &rqp);
*10023SGordon.Ross@Sun.COM	if (err)
*10023SGordon.Ross@Sun.COM		return (err);
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Build the SMB request.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	mbp = &rqp->rq_rq;
*10023SGordon.Ross@Sun.COM	mb_put_uint8(mbp, 0);			/* word count */
*10023SGordon.Ross@Sun.COM	smb_rq_bstart(rqp);
*10023SGordon.Ross@Sun.COM	for (dp = smb_dialects; dp->d_id != -1; dp++) {
*10023SGordon.Ross@Sun.COM		mb_put_uint8(mbp, SMB_DT_DIALECT);
*10023SGordon.Ross@Sun.COM		mb_put_astring(mbp, dp->d_name);
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	smb_rq_bend(rqp);
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * This does the OTW call
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	err = smb_rq_internal(ctx, rqp);
*10023SGordon.Ross@Sun.COM	if (err) {
*10023SGordon.Ross@Sun.COM		DPRINT("call failed, err %d", err);
*10023SGordon.Ross@Sun.COM		goto errout;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	if (rqp->rq_status != 0) {
*10023SGordon.Ross@Sun.COM		DPRINT("nt status 0x%x", rqp->rq_status);
*10023SGordon.Ross@Sun.COM		err = EBADRPC;
*10023SGordon.Ross@Sun.COM		goto errout;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Decode the response
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * Comments to right show names as described in
*10023SGordon.Ross@Sun.COM	 * The Microsoft SMB Protocol spec. [MS-SMB]
*10023SGordon.Ross@Sun.COM	 * section 2.2.3
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	mbp = &rqp->rq_rp;
*10023SGordon.Ross@Sun.COM	(void) mb_get_uint8(mbp, &wc);
*10023SGordon.Ross@Sun.COM	err = mb_get_uint16le(mbp, &dindex);
*10023SGordon.Ross@Sun.COM	if (err || dindex > SMB_DIALECT_MAX) {
*10023SGordon.Ross@Sun.COM		DPRINT("err %d dindex %d", err, (int)dindex);
*10023SGordon.Ross@Sun.COM		goto errout;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	dp = smb_dialects + dindex;
*10023SGordon.Ross@Sun.COM	sv->sv_proto = dp->d_id;
*10023SGordon.Ross@Sun.COM	DPRINT("Dialect %s", dp->d_name);
*10023SGordon.Ross@Sun.COM	if (dp->d_id < SMB_DIALECT_NTLM0_12) {
*10023SGordon.Ross@Sun.COM		/* XXX: User-visible warning too? */
*10023SGordon.Ross@Sun.COM		DPRINT("old dialect %s", dp->d_name);
*10023SGordon.Ross@Sun.COM		goto errout;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	if (wc != 17) {
*10023SGordon.Ross@Sun.COM		DPRINT("bad wc %d", (int)wc);
*10023SGordon.Ross@Sun.COM		goto errout;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	mb_get_uint8(mbp, &sv->sv_sm);		/* SecurityMode */
*10023SGordon.Ross@Sun.COM	mb_get_uint16le(mbp, &sv->sv_maxmux);	/* MaxMpxCount */
*10023SGordon.Ross@Sun.COM	mb_get_uint16le(mbp, &sv->sv_maxvcs);	/* MaxCountVCs */
*10023SGordon.Ross@Sun.COM	mb_get_uint32le(mbp, &sv->sv_maxtx);	/* MaxBufferSize */
*10023SGordon.Ross@Sun.COM	mb_get_uint32le(mbp, &sv->sv_maxraw);	/* MaxRawSize */
*10023SGordon.Ross@Sun.COM	mb_get_uint32le(mbp, &sv->sv_skey);	/* SessionKey */
*10023SGordon.Ross@Sun.COM	mb_get_uint32le(mbp, &sv->sv_caps);	/* Capabilities */
*10023SGordon.Ross@Sun.COM	mb_get_mem(mbp, (char *)stime, 8);	/* SystemTime(s) */
*10023SGordon.Ross@Sun.COM	mb_get_uint16le(mbp, (uint16_t *)&sv->sv_tz);
*10023SGordon.Ross@Sun.COM	mb_get_uint8(mbp, &eklen);	/* EncryptionKeyLength */
*10023SGordon.Ross@Sun.COM	err = mb_get_uint16le(mbp, &bc);	/* ByteCount */
*10023SGordon.Ross@Sun.COM	if (err)
*10023SGordon.Ross@Sun.COM		goto errout;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/* BEGIN CSTYLED */
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Will we do SMB signing?  Or block the connection?
*10023SGordon.Ross@Sun.COM	 * The table below describes this logic.  References:
*10023SGordon.Ross@Sun.COM	 * [Windows Server Protocols: MS-SMB, sec. 3.2.4.2.3]
*10023SGordon.Ross@Sun.COM	 * http://msdn.microsoft.com/en-us/library/cc212511.aspx
*10023SGordon.Ross@Sun.COM	 * http://msdn.microsoft.com/en-us/library/cc212929.aspx
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * Srv/Cli     | Required | Enabled    | If Required | Disabled
*10023SGordon.Ross@Sun.COM	 * ------------+----------+------------+-------------+-----------
*10023SGordon.Ross@Sun.COM	 * Required    | Signed   | Signed     | Signed      | Blocked [1]
*10023SGordon.Ross@Sun.COM	 * ------------+----------+------------+-------------+-----------
*10023SGordon.Ross@Sun.COM	 * Enabled     | Signed   | Signed     | Not Signed  | Not Signed
*10023SGordon.Ross@Sun.COM	 * ------------+----------+------------+-------------+-----------
*10023SGordon.Ross@Sun.COM	 * If Required | Signed   | Not Signed | Not Signed  | Not Signed
*10023SGordon.Ross@Sun.COM	 * ------------+----------+------------+-------------+-----------
*10023SGordon.Ross@Sun.COM	 * Disabled    | Blocked  | Not Signed | Not Signed  | Not Signed
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * [1] Like Windows 2003 and later, we don't really implement
*10023SGordon.Ross@Sun.COM	 * the "Disabled" setting.  Instead we implement "If Required",
*10023SGordon.Ross@Sun.COM	 * so we always sign if the server requires signing.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	/* END CSTYLED */
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	if (sv->sv_sm & SMB_SM_SIGS_REQUIRE) {
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Server requires signing.  We will sign,
*10023SGordon.Ross@Sun.COM		 * even if local setting is "disabled".
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		will_sign = 1;
*10023SGordon.Ross@Sun.COM	} else if (sv->sv_sm & SMB_SM_SIGS) {
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Server enables signing (client's option).
*10023SGordon.Ross@Sun.COM		 * If enabled locally, do signing.
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		if (ctx->ct_vopt & SMBVOPT_SIGNING_ENABLED)
*10023SGordon.Ross@Sun.COM			will_sign = 1;
*10023SGordon.Ross@Sun.COM		/* else not signing. */
*10023SGordon.Ross@Sun.COM	} else {
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Server does not support signing.
*10023SGordon.Ross@Sun.COM		 * If we "require" it, bail now.
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		if (ctx->ct_vopt & SMBVOPT_SIGNING_REQUIRED) {
*10023SGordon.Ross@Sun.COM			DPRINT("Client requires signing "
*10023SGordon.Ross@Sun.COM			    "but server has it disabled.");
*10023SGordon.Ross@Sun.COM			err = EBADRPC;
*10023SGordon.Ross@Sun.COM			goto errout;
*10023SGordon.Ross@Sun.COM		}
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	if (will_sign) {
*10023SGordon.Ross@Sun.COM		ctx->ct_vcflags |= SMBV_WILL_SIGN;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	DPRINT("Security signatures: %d", will_sign);
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	if (sv->sv_caps & SMB_CAP_UNICODE) {
*10023SGordon.Ross@Sun.COM		ctx->ct_vcflags |= SMBV_UNICODE;
*10023SGordon.Ross@Sun.COM		ctx->ct_hflags2 |= SMB_FLAGS2_UNICODE;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	if ((sv->sv_caps & SMB_CAP_STATUS32) == 0) {
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * They don't do NT error codes.
*10023SGordon.Ross@Sun.COM		 *
*10023SGordon.Ross@Sun.COM		 * If we send requests with
*10023SGordon.Ross@Sun.COM		 * SMB_FLAGS2_ERR_STATUS set in
*10023SGordon.Ross@Sun.COM		 * Flags2, Windows 98, at least,
*10023SGordon.Ross@Sun.COM		 * appears to send replies with that
*10023SGordon.Ross@Sun.COM		 * bit set even though it sends back
*10023SGordon.Ross@Sun.COM		 * DOS error codes.  (They probably
*10023SGordon.Ross@Sun.COM		 * just use the request header as
*10023SGordon.Ross@Sun.COM		 * a template for the reply header,
*10023SGordon.Ross@Sun.COM		 * and don't bother clearing that bit.)
*10023SGordon.Ross@Sun.COM		 *
*10023SGordon.Ross@Sun.COM		 * Therefore, we clear that bit in
*10023SGordon.Ross@Sun.COM		 * our vc_hflags2 field.
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		ctx->ct_hflags2 &= ~SMB_FLAGS2_ERR_STATUS;
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM	if (dp->d_id == SMB_DIALECT_NTLM0_12 &&
*10023SGordon.Ross@Sun.COM	    sv->sv_maxtx < 4096 &&
*10023SGordon.Ross@Sun.COM	    (sv->sv_caps & SMB_CAP_NT_SMBS) == 0) {
*10023SGordon.Ross@Sun.COM		ctx->ct_vcflags |= SMBV_WIN95;
*10023SGordon.Ross@Sun.COM		DPRINT("Win95 detected");
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * The rest of the message varies depending on
*10023SGordon.Ross@Sun.COM	 * whether we've negotiated "extended security".
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * With extended security, we have:
*10023SGordon.Ross@Sun.COM	 *	Server_GUID	(length 16)
*10023SGordon.Ross@Sun.COM	 *	Security_BLOB
*10023SGordon.Ross@Sun.COM	 * Otherwise we have:
*10023SGordon.Ross@Sun.COM	 *	EncryptionKey (length is eklen)
*10023SGordon.Ross@Sun.COM	 *	PrimaryDomain
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	if (sv->sv_caps & SMB_CAP_EXT_SECURITY) {
*10023SGordon.Ross@Sun.COM		struct mbuf *m;
*10023SGordon.Ross@Sun.COM		DPRINT("Ext.Security: yes");
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Skip the server GUID.
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		err = mb_get_mem(mbp, NULL, SMB_GUIDLEN);
*10023SGordon.Ross@Sun.COM		if (err)
*10023SGordon.Ross@Sun.COM			goto errout;
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Remainder is the security blob.
*10023SGordon.Ross@Sun.COM		 * Note: eklen "must be ignored" [MS-SMB]
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		len = (int)bc - SMB_GUIDLEN;
*10023SGordon.Ross@Sun.COM		if (len < 0)
*10023SGordon.Ross@Sun.COM			goto errout;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Get the (optional) SPNEGO "hint".
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		err = mb_get_mbuf(mbp, len, &m);
*10023SGordon.Ross@Sun.COM		if (err)
*10023SGordon.Ross@Sun.COM			goto errout;
*10023SGordon.Ross@Sun.COM		mb_initm(oblob, m);
*10023SGordon.Ross@Sun.COM		oblob->mb_count = len;
*10023SGordon.Ross@Sun.COM	} else {
*10023SGordon.Ross@Sun.COM		DPRINT("Ext.Security: no");
*10023SGordon.Ross@Sun.COM		ctx->ct_hflags2 &= ~SMB_FLAGS2_EXT_SEC;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Save the "Encryption Key" (the challenge).
*10023SGordon.Ross@Sun.COM		 *
*10023SGordon.Ross@Sun.COM		 * Sanity check: make sure the sec. blob length
*10023SGordon.Ross@Sun.COM		 * isn't bigger than the byte count.
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM		if (bc < eklen || eklen < NTLM_CHAL_SZ) {
*10023SGordon.Ross@Sun.COM			err = EBADRPC;
*10023SGordon.Ross@Sun.COM			goto errout;
*10023SGordon.Ross@Sun.COM		}
*10023SGordon.Ross@Sun.COM		err = mb_get_mem(mbp, (char *)ctx->ct_ntlm_chal, NTLM_CHAL_SZ);
*10023SGordon.Ross@Sun.COM		/*
*10023SGordon.Ross@Sun.COM		 * Server domain follows (ignored)
*10023SGordon.Ross@Sun.COM		 * Note: NOT aligned(2) - unusual!
*10023SGordon.Ross@Sun.COM		 */
*10023SGordon.Ross@Sun.COM	}
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	smb_rq_done(rqp);
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * A few sanity checks on what we received,
*10023SGordon.Ross@Sun.COM	 * becuse we will send these in ssnsetup.
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * Maximum outstanding requests (we care),
*10023SGordon.Ross@Sun.COM	 * and Max. VCs (we only use one).  Also,
*10023SGordon.Ross@Sun.COM	 * MaxBufferSize lower limit per spec.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	if (sv->sv_maxmux < 1)
*10023SGordon.Ross@Sun.COM		sv->sv_maxmux = 1;
*10023SGordon.Ross@Sun.COM	if (sv->sv_maxvcs < 1)
*10023SGordon.Ross@Sun.COM		sv->sv_maxvcs = 1;
*10023SGordon.Ross@Sun.COM	if (sv->sv_maxtx < 1024)
*10023SGordon.Ross@Sun.COM		sv->sv_maxtx = 1024;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Maximum transfer size.
*10023SGordon.Ross@Sun.COM	 * Sanity checks:
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * Let's be conservative about an upper limit here.
*10023SGordon.Ross@Sun.COM	 * Win2k uses 16644 (and others) so 32k should be a
*10023SGordon.Ross@Sun.COM	 * reasonable sanity limit for this value.
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * Note that this limit does NOT affect READX/WRITEX
*10023SGordon.Ross@Sun.COM	 * with CAP_LARGE_..., which we nearly always use.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	is->is_txmax = sv->sv_maxtx;
*10023SGordon.Ross@Sun.COM	if (is->is_txmax > 0x8000)
*10023SGordon.Ross@Sun.COM		is->is_txmax = 0x8000;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	/*
*10023SGordon.Ross@Sun.COM	 * Max read/write sizes, WITHOUT overhead.
*10023SGordon.Ross@Sun.COM	 * This is just the payload size, so we must
*10023SGordon.Ross@Sun.COM	 * leave room for the SMB headers, etc.
*10023SGordon.Ross@Sun.COM	 * This is just the ct_txmax value, but
*10023SGordon.Ross@Sun.COM	 * reduced and rounded down.  Tricky bit:
*10023SGordon.Ross@Sun.COM	 *
*10023SGordon.Ross@Sun.COM	 * Servers typically give us a value that's
*10023SGordon.Ross@Sun.COM	 * some nice "round" number, i.e 0x4000 plus
*10023SGordon.Ross@Sun.COM	 * some overhead, i.e. Win2k: 16644==0x4104
*10023SGordon.Ross@Sun.COM	 * Subtract for the SMB header (32) and the
*10023SGordon.Ross@Sun.COM	 * SMB command word and byte vectors (34?),
*10023SGordon.Ross@Sun.COM	 * then round down to a 512 byte multiple.
*10023SGordon.Ross@Sun.COM	 */
*10023SGordon.Ross@Sun.COM	len = is->is_txmax - 68;
*10023SGordon.Ross@Sun.COM	len &= 0xFE00;
*10023SGordon.Ross@Sun.COM	/* XXX: Not sure yet which of these to keep. */
*10023SGordon.Ross@Sun.COM	is->is_rwmax = len;
*10023SGordon.Ross@Sun.COM	is->is_rxmax = len;
*10023SGordon.Ross@Sun.COM	is->is_wxmax = len;
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COM	return (0);
*10023SGordon.Ross@Sun.COM
*10023SGordon.Ross@Sun.COMerrout:
*10023SGordon.Ross@Sun.COM	smb_rq_done(rqp);
*10023SGordon.Ross@Sun.COM	if (err == 0)
*10023SGordon.Ross@Sun.COM		err = EBADRPC;
*10023SGordon.Ross@Sun.COM	return (err);
*10023SGordon.Ross@Sun.COM}