1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11 
  12 /*
  13  * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
  14  * Copyright 2019 RackTop Systems.
  15  */
  16 
  17 /*
  18  * Dispatch function for SMB2_NEGOTIATE
  19  */
  20 
  21 #include <smbsrv/smb2_kproto.h>
  22 #include <smbsrv/smb2.h>
  23 
  24 /*
  25  * Note from [MS-SMB2] Sec. 2.2.3:  Windows servers return
  26  * invalid parameter if the dialect count is greater than 64
  27  * This is here (and not in smb2.h) because this is technically
  28  * an implementation detail, not protocol specification.
  29  */
  30 #define SMB2_NEGOTIATE_MAX_DIALECTS     64
  31 
  32 static int smb2_negotiate_common(smb_request_t *, uint16_t);
  33 
  34 /* List of supported capabilities.  Can be patched for testing. */
  35 uint32_t smb2srv_capabilities =
  36         SMB2_CAP_DFS |
  37         SMB2_CAP_LEASING |
  38         SMB2_CAP_LARGE_MTU |
  39         SMB2_CAP_PERSISTENT_HANDLES |
  40         SMB2_CAP_ENCRYPTION;
  41 
  42 /* These are the only capabilities defined for SMB2.X */
  43 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU)
  44 
  45 /*
  46  * These are not intended as customer tunables, but dev. & test folks
  47  * might want to adjust them (with caution).
  48  *
  49  * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
  50  * with setsockopt SO_SNDBUF, SO_RCVBUF.  These set the TCP window size.
  51  * This is also used as a "sanity limit" for internal send/reply message
  52  * allocations.  Note that with compounding SMB2 messages may contain
  53  * multiple requests/responses.  This size should be large enough for
  54  * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
  55  *
  56  * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
  57  * the client the largest read and write request size we'll support.
  58  * For now, we're using contiguous allocations, so keep this at 64KB
  59  * so that (even with message overhead) allocations stay below 128KB,
  60  * avoiding kmem_alloc -> page_create_va thrashing.
  61  *
  62  * smb2_max_trans is the largest "transact" send or receive, which is
  63  * used for directory listings and info set/get operations.
  64  */
  65 uint32_t smb2_tcp_bufsize = (1<<22);      /* 4MB */
  66 uint32_t smb2_max_rwsize = (1<<16);       /* 64KB */
  67 uint32_t smb2_max_trans  = (1<<16);       /* 64KB */
  68 
  69 /*
  70  * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
  71  * (including all clients using dialect < SMB 2.1), use a "conservative" value
  72  * for max r/w size because some older clients misbehave with larger values.
  73  * 64KB is recommended in the [MS-SMB2] spec.  (3.3.5.3.1 SMB 2.1 or SMB 3.x
  74  * Support) as the minimum so we'll use that.
  75  */
  76 uint32_t smb2_old_rwsize = (1<<16);       /* 64KB */
  77 
  78 /*
  79  * List of all SMB2 versions we implement.  Note that the
  80  * versions we support may be limited by the
  81  * _cfg.skc_max_protocol and min_protocol settings.
  82  */
  83 static uint16_t smb2_versions[] = {
  84         0x202,  /* SMB 2.002 */
  85         0x210,  /* SMB 2.1 */
  86         0x300,  /* SMB 3.0 */
  87         0x302,  /* SMB 3.02 */
  88 };
  89 static uint16_t smb2_nversions =
  90     sizeof (smb2_versions) / sizeof (smb2_versions[0]);
  91 
  92 static boolean_t
  93 smb2_supported_version(smb_session_t *s, uint16_t version)
  94 {
  95         int i;
  96 
  97         if (version > s->s_cfg.skc_max_protocol ||
  98             version < s->s_cfg.skc_min_protocol)
  99                 return (B_FALSE);
 100         for (i = 0; i < smb2_nversions; i++)
 101                 if (version == smb2_versions[i])
 102                         return (B_TRUE);
 103         return (B_FALSE);
 104 }
 105 
 106 /*
 107  * Helper for the (SMB1) smb_com_negotiate().  This is the
 108  * very unusual protocol interaction where an SMB1 negotiate
 109  * gets an SMB2 negotiate response.  This is the normal way
 110  * clients first find out if the server supports SMB2.
 111  *
 112  * Note: This sends an SMB2 reply _itself_ and then returns
 113  * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
 114  * Also, this is called directly from the reader thread, so
 115  * we know this is the only thread using this session.
 116  *
 117  * The caller frees this request.
 118  */
 119 smb_sdrc_t
 120 smb1_negotiate_smb2(smb_request_t *sr)
 121 {
 122         smb_session_t *s = sr->session;
 123         smb_arg_negotiate_t *negprot = sr->sr_negprot;
 124         uint16_t smb2_version;
 125 
 126         /*
 127          * Note: In the SMB1 negotiate command handler, we
 128          * agreed with one of the SMB2 dialects.  If that
 129          * dialect was "SMB 2.002", we'll respond here with
 130          * version 0x202 and negotiation is done.  If that
 131          * dialect was "SMB 2.???", we'll respond here with
 132          * the "wildcard" version 0x2FF, and the client will
 133          * come back with an SMB2 negotiate.
 134          */
 135         switch (negprot->ni_dialect) {
 136         case DIALECT_SMB2002:   /* SMB 2.002 (a.k.a. SMB2.0) */
 137                 smb2_version = SMB_VERS_2_002;
 138                 s->dialect = smb2_version;
 139                 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
 140                 /* Allow normal SMB2 requests now. */
 141                 s->newrq_func = smb2sr_newrq;
 142                 break;
 143         case DIALECT_SMB2XXX:   /* SMB 2.??? (wildcard vers) */
 144                 /*
 145                  * Expecting an SMB2 negotiate next, so keep the
 146                  * initial s->newrq_func.
 147                  */
 148                 smb2_version = 0x2FF;
 149                 break;
 150         default:
 151                 return (SDRC_DROP_VC);
 152         }
 153 
 154         /*
 155          * We did not decode an SMB2 header, so make sure
 156          * the SMB2 header fields are initialized.
 157          * (Most are zero from smb_request_alloc.)
 158          * Also, the SMB1 common dispatch code reserved space
 159          * for an SMB1 header, which we need to undo here.
 160          */
 161         sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
 162         sr->smb2_cmd_code = SMB2_NEGOTIATE;
 163         sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
 164 
 165         (void) smb2_encode_header(sr, B_FALSE);
 166         if (smb2_negotiate_common(sr, smb2_version) != 0)
 167                 sr->smb2_status = NT_STATUS_INTERNAL_ERROR;
 168         if (sr->smb2_status != 0)
 169                 smb2sr_put_error(sr, sr->smb2_status);
 170         (void) smb2_encode_header(sr, B_TRUE);
 171 
 172         smb2_send_reply(sr);
 173 
 174         /*
 175          * We sent the reply, so tell the SMB1 dispatch
 176          * it should NOT (also) send a reply.
 177          */
 178         return (SDRC_NO_REPLY);
 179 }
 180 
 181 static uint16_t
 182 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[],
 183     uint16_t version_cnt)
 184 {
 185         uint16_t best_version = 0;
 186         int i;
 187 
 188         for (i = 0; i < version_cnt; i++)
 189                 if (smb2_supported_version(s, cl_versions[i]) &&
 190                     best_version < cl_versions[i])
 191                         best_version = cl_versions[i];
 192 
 193         return (best_version);
 194 }
 195 
 196 /*
 197  * SMB2 Negotiate gets special handling.  This is called directly by
 198  * the reader thread (see smbsr_newrq_initial) with what _should_ be
 199  * an SMB2 Negotiate.  Only the "\feSMB" header has been checked
 200  * when this is called, so this needs to check the SMB command,
 201  * if it's Negotiate execute it, then send the reply, etc.
 202  *
 203  * Since this is called directly from the reader thread, we
 204  * know this is the only thread currently using this session.
 205  * This has to duplicate some of what smb2sr_work does as a
 206  * result of bypassing the normal dispatch mechanism.
 207  *
 208  * The caller always frees this request.
 209  *
 210  * Return value is 0 for success, and anything else will
 211  * terminate the reader thread (drop the connection).
 212  */
 213 int
 214 smb2_newrq_negotiate(smb_request_t *sr)
 215 {
 216         smb_session_t *s = sr->session;
 217         int rc;
 218         uint32_t status = 0;
 219         uint16_t struct_size;
 220         uint16_t best_version;
 221         uint16_t version_cnt;
 222         uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
 223 
 224         sr->smb2_cmd_hdr = sr->command.chain_offset;
 225         rc = smb2_decode_header(sr);
 226         if (rc != 0)
 227                 return (rc);
 228 
 229         if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
 230                 return (-1);
 231 
 232         if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
 233             (sr->smb2_next_command != 0))
 234                 return (-1);
 235 
 236         /*
 237          * Decode SMB2 Negotiate (fixed-size part)
 238          */
 239         rc = smb_mbc_decodef(
 240             &sr->command, "www..l16c8.",
 241             &struct_size,   /* w */
 242             &version_cnt,   /* w */
 243             &s->cli_secmode,     /* w */
 244             /* reserved         (..) */
 245             &s->capabilities,    /* l */
 246             s->clnt_uuid);   /* 16c */
 247             /* start_time         8. */
 248         if (rc != 0)
 249                 return (rc);
 250         if (struct_size != 36)
 251                 return (-1);
 252 
 253         /*
 254          * Decode SMB2 Negotiate (variable part)
 255          *
 256          * Be somewhat tolerant while decoding the variable part
 257          * so we can return errors instead of dropping the client.
 258          * Will limit decoding to the size of cl_versions here,
 259          * and do the error checks on version_cnt after the
 260          * dtrace start probe.
 261          */
 262         if (version_cnt > 0 &&
 263             version_cnt <= SMB2_NEGOTIATE_MAX_DIALECTS &&
 264             smb_mbc_decodef(&sr->command, "#w", version_cnt,
 265             cl_versions) != 0) {
 266             /* decode error; force an error below */
 267             version_cnt = 0;
 268         }
 269 
 270         DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr);
 271 
 272         sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
 273         (void) smb2_encode_header(sr, B_FALSE);
 274 
 275         /*
 276          * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
 277          * "If the SMB2 header of the SMB2 NEGOTIATE request has the
 278          * SMB2_FLAGS_SIGNED bit set in the Flags field, the server
 279          * MUST fail the request with STATUS_INVALID_PARAMETER."
 280          */
 281         if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
 282                 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
 283                 status = NT_STATUS_INVALID_PARAMETER;
 284                 goto errout;
 285         }
 286 
 287         /*
 288          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 289          * "If the DialectCount of the SMB2 NEGOTIATE Request is 0, the
 290          * server MUST fail the request with STATUS_INVALID_PARAMETER."
 291          */
 292         if (version_cnt == 0 ||
 293             version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
 294                 status = NT_STATUS_INVALID_PARAMETER;
 295                 goto errout;
 296         }
 297 
 298         /*
 299          * The client offers an array of protocol versions it
 300          * supports, which we have decoded into cl_versions[].
 301          * We walk the array and pick the highest supported.
 302          *
 303          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 304          * "If a common dialect is not found, the server MUST fail
 305          * the request with STATUS_NOT_SUPPORTED."
 306          */
 307         best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
 308         if (best_version == 0) {
 309                 status = NT_STATUS_NOT_SUPPORTED;
 310                 goto errout;
 311         }
 312         s->dialect = best_version;
 313 
 314         /* Allow normal SMB2 requests now. */
 315         s->s_state = SMB_SESSION_STATE_NEGOTIATED;
 316         s->newrq_func = smb2sr_newrq;
 317 
 318         if (smb2_negotiate_common(sr, best_version) != 0)
 319                 status = NT_STATUS_INTERNAL_ERROR;
 320 
 321 errout:
 322         sr->smb2_status = status;
 323         DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
 324 
 325         if (sr->smb2_status != 0)
 326                 smb2sr_put_error(sr, sr->smb2_status);
 327         (void) smb2_encode_header(sr, B_TRUE);
 328 
 329         smb2_send_reply(sr);
 330 
 331         return (rc);
 332 }
 333 
 334 /*
 335  * Common parts of SMB2 Negotiate, used for both the
 336  * SMB1-to-SMB2 style, and straight SMB2 style.
 337  * Do negotiation decisions and encode the reply.
 338  * The caller does the network send.
 339  *
 340  * Return value is 0 for success, else error.
 341  */
 342 static int
 343 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
 344 {
 345         timestruc_t boot_tv, now_tv;
 346         smb_session_t *s = sr->session;
 347         int rc;
 348         uint32_t max_rwsize;
 349         uint16_t secmode;
 350 
 351         /*
 352          * Negotiation itself.  First the Security Mode.
 353          */
 354         secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 355         if (sr->sr_cfg->skc_signing_required)
 356                 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 357         s->srv_secmode = secmode;
 358 
 359         s->cmd_max_bytes = smb2_tcp_bufsize;
 360         s->reply_max_bytes = smb2_tcp_bufsize;
 361 
 362         /*
 363          * "The number of credits held by the client MUST be considered
 364          * as 1 when the connection is established." [MS-SMB2]
 365          * We leave credits at 1 until the first successful
 366          * session setup is completed.
 367          */
 368         s->s_cur_credits = s->s_max_credits = 1;
 369         sr->smb2_credit_response = 1;
 370 
 371         boot_tv.tv_sec = smb_get_boottime();
 372         boot_tv.tv_nsec = 0;
 373         now_tv.tv_sec = gethrestime_sec();
 374         now_tv.tv_nsec = 0;
 375 
 376         /*
 377          * If the version is 0x2FF, we haven't completed negotiate.
 378          * Don't initialize until we have our final request.
 379          */
 380         if (version != 0x2FF)
 381                 smb2_sign_init_mech(s);
 382 
 383         /*
 384          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 385          *
 386          * The SMB2.x capabilities are returned without regard for
 387          * what capabilities the client provided in the request.
 388          * The SMB3.x capabilities returned are the traditional
 389          * logical AND of server and client capabilities.
 390          *
 391          * One additional check: If KCF is missing something we
 392          * require for encryption, turn off that capability.
 393          */
 394         if (s->dialect < SMB_VERS_2_1) {
 395                 /* SMB 2.002 */
 396                 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
 397         } else if (s->dialect < SMB_VERS_3_0) {
 398                 /* SMB 2.x */
 399                 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
 400         } else {
 401                 /* SMB 3.0 or later */
 402                 s->srv_cap = smb2srv_capabilities &
 403                     (SMB_2X_CAPS | s->capabilities);
 404                 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
 405                     smb3_encrypt_init_mech(s) != 0) {
 406                         s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
 407                 }
 408         }
 409 
 410         /*
 411          * See notes above smb2_max_rwsize, smb2_old_rwsize
 412          */
 413         if (s->capabilities & SMB2_CAP_LARGE_MTU)
 414                 max_rwsize = smb2_max_rwsize;
 415         else
 416                 max_rwsize = smb2_old_rwsize;
 417 
 418         rc = smb_mbc_encodef(
 419             &sr->reply,
 420             "wwww#cllllTTwwl#c",
 421             65, /* StructSize */        /* w */
 422             s->srv_secmode,          /* w */
 423             version,                    /* w */
 424             0, /* reserved */           /* w */
 425             UUID_LEN,                   /* # */
 426             &s->s_cfg.skc_machine_uuid, /* c */
 427             s->srv_cap,                      /* l */
 428             smb2_max_trans,             /* l */
 429             max_rwsize,                 /* l */
 430             max_rwsize,                 /* l */
 431             &now_tv,                        /* T */
 432             &boot_tv,                       /* T */
 433             128, /* SecBufOff */        /* w */
 434             sr->sr_cfg->skc_negtok_len,   /* w */
 435             0,  /* reserved */          /* l */
 436             sr->sr_cfg->skc_negtok_len,   /* # */
 437             sr->sr_cfg->skc_negtok);      /* c */
 438 
 439         /* smb2_send_reply(sr); in caller */
 440 
 441         (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
 442             SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
 443             sizeof (smb2_tcp_bufsize), CRED());
 444         (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
 445             SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
 446             sizeof (smb2_tcp_bufsize), CRED());
 447 
 448         return (rc);
 449 }
 450 
 451 /*
 452  * SMB2 Dispatch table handler, which will run if we see an
 453  * SMB2_NEGOTIATE after the initial negotiation is done.
 454  * That would be a protocol error.
 455  */
 456 smb_sdrc_t
 457 smb2_negotiate(smb_request_t *sr)
 458 {
 459         sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
 460         return (SDRC_ERROR);
 461 }
 462 
 463 /*
 464  * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
 465  */
 466 uint32_t
 467 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl)
 468 {
 469         smb_session_t *s = sr->session;
 470         int rc;
 471 
 472         /*
 473          * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
 474          * and verify that the original negotiate was not modified.
 475          * The request MUST be signed, and we MUST validate the signature.
 476          *
 477          * One interesting requirement here is that we MUST reply
 478          * with exactly the same information as we returned in our
 479          * original reply to the SMB2 negotiate on this session.
 480          * If we don't the client closes the connection.
 481          */
 482 
 483         /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */
 484         uint32_t capabilities;
 485         uint16_t secmode, num_dialects, dialects[8];
 486         uint8_t clnt_guid[16];
 487 
 488         if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0)
 489                 goto drop;
 490 
 491         if (fsctl->InputCount < 24)
 492                 goto drop;
 493 
 494         (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww",
 495             &capabilities, /* l */
 496             &clnt_guid, /* 16c */
 497             &secmode, /* w */
 498             &num_dialects); /* w */
 499 
 500         if (num_dialects == 0 || num_dialects > 8)
 501                 goto drop;
 502         if (secmode != s->cli_secmode)
 503                 goto drop;
 504         if (capabilities != s->capabilities)
 505                 goto drop;
 506         if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0)
 507                 goto drop;
 508 
 509         if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects)))
 510                 goto drop;
 511 
 512         rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects);
 513         if (rc != 0)
 514                 goto drop;
 515 
 516         if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect)
 517                 goto drop;
 518 
 519         rc = smb_mbc_encodef(
 520             fsctl->out_mbc, "l#cww",
 521             s->srv_cap,                      /* l */
 522             UUID_LEN,                   /* # */
 523             &s->s_cfg.skc_machine_uuid, /* c */
 524             s->srv_secmode,          /* w */
 525             s->dialect);             /* w */
 526         if (rc == 0)
 527                 return (rc);
 528 
 529 drop:
 530         smb_session_disconnect(s);
 531         return (NT_STATUS_ACCESS_DENIED);
 532 }