Print this page
12513 SMB 3.1.1 support for server

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/smbsrv/libsmb/common/smb_cfg.c
          +++ new/usr/src/lib/smbsrv/libsmb/common/smb_cfg.c
↓ open down ↓ 13 lines elided ↑ open up ↑
  14   14   * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15   15   * If applicable, add the following below this CDDL HEADER, with the
  16   16   * fields enclosed by brackets "[]" replaced with your own identifying
  17   17   * information: Portions Copyright [yyyy] [name of copyright owner]
  18   18   *
  19   19   * CDDL HEADER END
  20   20   */
  21   21  /*
  22   22   * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23   23   * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
       24 + * Copyright 2020 RackTop Systems, Inc.
  24   25   */
  25   26  
  26   27  /*
  27   28   * CIFS configuration management library
  28   29   */
  29   30  
  30   31  #include <stdio.h>
  31   32  #include <stdlib.h>
  32   33  #include <unistd.h>
  33   34  #include <synch.h>
↓ open down ↓ 109 lines elided ↑ open up ↑
 143  144          {SMB_CI_DFS_STDROOT_NUM, "dfs_stdroot_num", SCF_TYPE_INTEGER, 0},
 144  145          {SMB_CI_TRAVERSE_MOUNTS, "traverse_mounts", SCF_TYPE_BOOLEAN, 0},
 145  146          {SMB_CI_SMB2_ENABLE_OLD, "smb2_enable", SCF_TYPE_BOOLEAN, 0},
 146  147          {SMB_CI_INITIAL_CREDITS, "initial_credits", SCF_TYPE_INTEGER, 0},
 147  148          {SMB_CI_MAXIMUM_CREDITS, "maximum_credits", SCF_TYPE_INTEGER, 0},
 148  149          {SMB_CI_MAX_PROTOCOL, "max_protocol", SCF_TYPE_ASTRING, 0},
 149  150          {SMB_CI_ENCRYPT, "encrypt", SCF_TYPE_ASTRING, 0},
 150  151          {SMB_CI_MIN_PROTOCOL, "min_protocol", SCF_TYPE_ASTRING, 0},
 151  152          {SMB_CI_BYPASS_TRAVERSE_CHECKING,
 152  153              "bypass_traverse_checking", SCF_TYPE_BOOLEAN, 0},
      154 +        {SMB_CI_ENCRYPT_CIPHER, "encrypt_cipher", SCF_TYPE_ASTRING, 0},
 153  155  
 154  156          /* SMB_CI_MAX */
 155  157  };
 156  158  
 157  159  /*
 158  160   * We store the max SMB protocol version in SMF as a string,
 159  161   * (for convenience of svccfg etc) but the programmatic get/set
 160  162   * interfaces use the numeric form.
 161  163   *
 162  164   * The numeric values are as defined in the [MS-SMB2] spec.
 163  165   * except for how we represent "1" (for SMB1) which is an
 164  166   * arbitrary value below SMB2_VERS_BASE.
 165  167   */
 166  168  static struct str_val
 167  169  smb_versions[] = {
      170 +        { "3.11",       SMB_VERS_3_11 },
 168  171          { "3.02",       SMB_VERS_3_02 },
 169  172          { "3.0",        SMB_VERS_3_0 },
 170  173          { "2.1",        SMB_VERS_2_1 },
 171  174          { "2.002",      SMB_VERS_2_002 },
 172  175          { "1",          SMB_VERS_1 },
 173  176          { NULL,         0 }
 174  177  };
 175  178  
      179 +/*
      180 + * Supported encryption ciphers.
      181 + */
      182 +static struct str_val
      183 +smb31_encrypt_ciphers[] = {
      184 +        { "aes128-ccm", SMB3_CIPHER_AES128_CCM },       /* SMB 3.x */
      185 +        { "aes128-gcm", SMB3_CIPHER_AES128_GCM },       /* SMB 3.1.1 */
      186 +        { NULL,         0 }
      187 +};
      188 +
 176  189  static smb_cfg_param_t *smb_config_getent(smb_cfg_id_t);
 177  190  
 178  191  static boolean_t smb_is_base64(unsigned char c);
 179  192  static char *smb_base64_encode(char *str_to_encode);
 180  193  static char *smb_base64_decode(char *encoded_str);
 181  194  static int smb_config_get_idmap_preferred_dc(char *, int);
 182  195  static int smb_config_set_idmap_preferred_dc(char *);
 183  196  static int smb_config_get_idmap_site_name(char *, int);
 184  197  static int smb_config_set_idmap_site_name(char *);
 185  198  
↓ open down ↓ 1031 lines elided ↑ open up ↑
1217 1230          return (default_val);
1218 1231  }
1219 1232  
1220 1233  /*
1221 1234   * The service manifest has empty values by default for min_protocol and
1222 1235   * max_protocol. The expectation is that when those values are empty, we don't
1223 1236   * constrain the range of supported protocol versions (and allow use of the
1224 1237   * whole range that we implement). For that reason, this should usually be the
1225 1238   * highest protocol version we implement.
1226 1239   */
1227      -uint32_t max_protocol_default = SMB_VERS_3_02;
     1240 +uint32_t max_protocol_default = SMB_VERS_3_11;
1228 1241  
1229 1242  uint32_t
1230 1243  smb_config_get_max_protocol(void)
1231 1244  {
1232 1245          uint32_t max;
1233 1246  
1234 1247          max = smb_config_get_protocol(SMB_CI_MAX_PROTOCOL, "max_protocol",
1235 1248              max_protocol_default);
1236 1249  
1237 1250          return (max);
↓ open down ↓ 15 lines elided ↑ open up ↑
1253 1266          return (min);
1254 1267  }
1255 1268  
1256 1269  int
1257 1270  smb_config_check_protocol(char *value)
1258 1271  {
1259 1272          if (smb_convert_version_str(value) != 0)
1260 1273                  return (0);
1261 1274  
1262 1275          return (-1);
     1276 +}
     1277 +
     1278 +/*
     1279 + * Only SMB 3.x supports encryption.
     1280 + * SMB 3.0.2 uses AES128-CCM only.
     1281 + * SMB 3.1.1 - AES128-CCM or AES128-GCM.
     1282 + */
     1283 +uint16_t
     1284 +smb31_config_get_encrypt_cipher(void)
     1285 +{
     1286 +        uint32_t max_proto = smb_config_get_max_protocol();
     1287 +        uint16_t cipher = SMB3_CIPHER_AES128_GCM; /* by default AES128-GCM */
     1288 +        char str[12];
     1289 +        int i;
     1290 +
     1291 +        if (max_proto < SMB_VERS_3_11)
     1292 +                return (SMB3_CIPHER_NONE);
     1293 +
     1294 +        /* SMB 3.1.1 */
     1295 +        if (smb_config_getstr(SMB_CI_ENCRYPT_CIPHER, str, sizeof (str))
     1296 +            == SMBD_SMF_OK) {
     1297 +                for (i = 0; smb31_encrypt_ciphers[i].str != NULL; i++) {
     1298 +                        if (strcmp(str, smb31_encrypt_ciphers[i].str) == 0)
     1299 +                                cipher = smb31_encrypt_ciphers[i].val;
     1300 +                }
     1301 +        }
     1302 +
     1303 +        return (cipher);
1263 1304  }
1264 1305  
1265 1306  /*
1266 1307   * If smb2_enable is present and max_protocol is empty,
1267 1308   * set max_protocol.  Delete smb2_enable.
1268 1309   */
1269 1310  static void
1270 1311  upgrade_smb2_enable()
1271 1312  {
1272 1313          smb_scfhandle_t *handle;
↓ open down ↓ 113 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX