1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 * Copyright 2019 RackTop Systems.
15 */
16
17 /*
18 * Dispatch function for SMB2_NEGOTIATE
19 */
20
21 #include <smbsrv/smb2_kproto.h>
22 #include <smbsrv/smb2.h>
23
24 /*
25 * Note from [MS-SMB2] Sec. 2.2.3: Windows servers return
26 * invalid parameter if the dialect count is greater than 64
27 * This is here (and not in smb2.h) because this is technically
28 * an implementation detail, not protocol specification.
29 */
30 #define SMB2_NEGOTIATE_MAX_DIALECTS 64
31
32 static int smb2_negotiate_common(smb_request_t *, uint16_t);
33
34 /* List of supported capabilities. Can be patched for testing. */
35 uint32_t smb2srv_capabilities =
36 SMB2_CAP_DFS |
37 SMB2_CAP_LEASING |
38 SMB2_CAP_LARGE_MTU |
39 SMB2_CAP_PERSISTENT_HANDLES |
40 SMB2_CAP_ENCRYPTION;
41
42 /* These are the only capabilities defined for SMB2.X */
43 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU)
44
45 /*
46 * These are not intended as customer tunables, but dev. & test folks
47 * might want to adjust them (with caution).
48 *
49 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
50 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
51 * This is also used as a "sanity limit" for internal send/reply message
52 * allocations. Note that with compounding SMB2 messages may contain
53 * multiple requests/responses. This size should be large enough for
54 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
55 *
56 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
57 * the client the largest read and write request size we'll support.
58 * For now, we're using contiguous allocations, so keep this at 64KB
59 * so that (even with message overhead) allocations stay below 128KB,
60 * avoiding kmem_alloc -> page_create_va thrashing.
61 *
62 * smb2_max_trans is the largest "transact" send or receive, which is
63 * used for directory listings and info set/get operations.
64 */
65 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
66 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */
67 uint32_t smb2_max_trans = (1<<16); /* 64KB */
68
69 /*
70 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
71 * (including all clients using dialect < SMB 2.1), use a "conservative" value
72 * for max r/w size because some older clients misbehave with larger values.
73 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
74 * Support) as the minimum so we'll use that.
75 */
76 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
77
78 /*
79 * List of all SMB2 versions we implement. Note that the
80 * versions we support may be limited by the
81 * _cfg.skc_max_protocol and min_protocol settings.
82 */
83 static uint16_t smb2_versions[] = {
84 0x202, /* SMB 2.002 */
85 0x210, /* SMB 2.1 */
86 0x300, /* SMB 3.0 */
87 0x302, /* SMB 3.02 */
88 };
89 static uint16_t smb2_nversions =
90 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
91
92 static boolean_t
93 smb2_supported_version(smb_session_t *s, uint16_t version)
94 {
95 int i;
96
97 if (version > s->s_cfg.skc_max_protocol ||
98 version < s->s_cfg.skc_min_protocol)
99 return (B_FALSE);
100 for (i = 0; i < smb2_nversions; i++)
101 if (version == smb2_versions[i])
102 return (B_TRUE);
103 return (B_FALSE);
104 }
105
106 /*
107 * Helper for the (SMB1) smb_com_negotiate(). This is the
108 * very unusual protocol interaction where an SMB1 negotiate
109 * gets an SMB2 negotiate response. This is the normal way
110 * clients first find out if the server supports SMB2.
111 *
112 * Note: This sends an SMB2 reply _itself_ and then returns
113 * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
114 * Also, this is called directly from the reader thread, so
115 * we know this is the only thread using this session.
116 *
117 * The caller frees this request.
118 */
119 smb_sdrc_t
120 smb1_negotiate_smb2(smb_request_t *sr)
121 {
122 smb_session_t *s = sr->session;
123 smb_arg_negotiate_t *negprot = sr->sr_negprot;
124 uint16_t smb2_version;
125
126 /*
127 * Note: In the SMB1 negotiate command handler, we
128 * agreed with one of the SMB2 dialects. If that
129 * dialect was "SMB 2.002", we'll respond here with
130 * version 0x202 and negotiation is done. If that
131 * dialect was "SMB 2.???", we'll respond here with
132 * the "wildcard" version 0x2FF, and the client will
133 * come back with an SMB2 negotiate.
134 */
135 switch (negprot->ni_dialect) {
136 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
137 smb2_version = SMB_VERS_2_002;
138 s->dialect = smb2_version;
139 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
140 /* Allow normal SMB2 requests now. */
141 s->newrq_func = smb2sr_newrq;
142 break;
143 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
144 /*
145 * Expecting an SMB2 negotiate next, so keep the
146 * initial s->newrq_func.
147 */
148 smb2_version = 0x2FF;
149 break;
150 default:
151 return (SDRC_DROP_VC);
152 }
153
154 /*
155 * We did not decode an SMB2 header, so make sure
156 * the SMB2 header fields are initialized.
157 * (Most are zero from smb_request_alloc.)
158 * Also, the SMB1 common dispatch code reserved space
159 * for an SMB1 header, which we need to undo here.
160 */
161 sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
162 sr->smb2_cmd_code = SMB2_NEGOTIATE;
163 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
164
165 (void) smb2_encode_header(sr, B_FALSE);
166 if (smb2_negotiate_common(sr, smb2_version) != 0)
167 sr->smb2_status = NT_STATUS_INTERNAL_ERROR;
168 if (sr->smb2_status != 0)
169 smb2sr_put_error(sr, sr->smb2_status);
170 (void) smb2_encode_header(sr, B_TRUE);
171
172 smb2_send_reply(sr);
173
174 /*
175 * We sent the reply, so tell the SMB1 dispatch
176 * it should NOT (also) send a reply.
177 */
178 return (SDRC_NO_REPLY);
179 }
180
181 static uint16_t
182 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[],
183 uint16_t version_cnt)
184 {
185 uint16_t best_version = 0;
186 int i;
187
188 for (i = 0; i < version_cnt; i++)
189 if (smb2_supported_version(s, cl_versions[i]) &&
190 best_version < cl_versions[i])
191 best_version = cl_versions[i];
192
193 return (best_version);
194 }
195
196 /*
197 * SMB2 Negotiate gets special handling. This is called directly by
198 * the reader thread (see smbsr_newrq_initial) with what _should_ be
199 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
200 * when this is called, so this needs to check the SMB command,
201 * if it's Negotiate execute it, then send the reply, etc.
202 *
203 * Since this is called directly from the reader thread, we
204 * know this is the only thread currently using this session.
205 * This has to duplicate some of what smb2sr_work does as a
206 * result of bypassing the normal dispatch mechanism.
207 *
208 * The caller always frees this request.
209 *
210 * Return value is 0 for success, and anything else will
211 * terminate the reader thread (drop the connection).
212 */
213 int
214 smb2_newrq_negotiate(smb_request_t *sr)
215 {
216 smb_session_t *s = sr->session;
217 int rc;
218 uint32_t status = 0;
219 uint16_t struct_size;
220 uint16_t best_version;
221 uint16_t version_cnt;
222 uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
223
224 sr->smb2_cmd_hdr = sr->command.chain_offset;
225 rc = smb2_decode_header(sr);
226 if (rc != 0)
227 return (rc);
228
229 if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
230 return (-1);
231
232 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
233 (sr->smb2_next_command != 0))
234 return (-1);
235
236 /*
237 * Decode SMB2 Negotiate (fixed-size part)
238 */
239 rc = smb_mbc_decodef(
240 &sr->command, "www..l16c8.",
241 &struct_size, /* w */
242 &version_cnt, /* w */
243 &s->cli_secmode, /* w */
244 /* reserved (..) */
245 &s->capabilities, /* l */
246 s->clnt_uuid); /* 16c */
247 /* start_time 8. */
248 if (rc != 0)
249 return (rc);
250 if (struct_size != 36)
251 return (-1);
252
253 /*
254 * Decode SMB2 Negotiate (variable part)
255 *
256 * Be somewhat tolerant while decoding the variable part
257 * so we can return errors instead of dropping the client.
258 * Will limit decoding to the size of cl_versions here,
259 * and do the error checks on version_cnt after the
260 * dtrace start probe.
261 */
262 if (version_cnt > 0 &&
263 version_cnt <= SMB2_NEGOTIATE_MAX_DIALECTS &&
264 smb_mbc_decodef(&sr->command, "#w", version_cnt,
265 cl_versions) != 0) {
266 /* decode error; force an error below */
267 version_cnt = 0;
268 }
269
270 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr);
271
272 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
273 (void) smb2_encode_header(sr, B_FALSE);
274
275 /*
276 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
277 * "If the SMB2 header of the SMB2 NEGOTIATE request has the
278 * SMB2_FLAGS_SIGNED bit set in the Flags field, the server
279 * MUST fail the request with STATUS_INVALID_PARAMETER."
280 */
281 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
282 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
283 status = NT_STATUS_INVALID_PARAMETER;
284 goto errout;
285 }
286
287 /*
288 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
289 * "If the DialectCount of the SMB2 NEGOTIATE Request is 0, the
290 * server MUST fail the request with STATUS_INVALID_PARAMETER."
291 */
292 if (version_cnt == 0 ||
293 version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
294 status = NT_STATUS_INVALID_PARAMETER;
295 goto errout;
296 }
297
298 /*
299 * The client offers an array of protocol versions it
300 * supports, which we have decoded into cl_versions[].
301 * We walk the array and pick the highest supported.
302 *
303 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
304 * "If a common dialect is not found, the server MUST fail
305 * the request with STATUS_NOT_SUPPORTED."
306 */
307 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
308 if (best_version == 0) {
309 status = NT_STATUS_NOT_SUPPORTED;
310 goto errout;
311 }
312 s->dialect = best_version;
313
314 /* Allow normal SMB2 requests now. */
315 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
316 s->newrq_func = smb2sr_newrq;
317
318 if (smb2_negotiate_common(sr, best_version) != 0)
319 status = NT_STATUS_INTERNAL_ERROR;
320
321 errout:
322 sr->smb2_status = status;
323 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
324
325 if (sr->smb2_status != 0)
326 smb2sr_put_error(sr, sr->smb2_status);
327 (void) smb2_encode_header(sr, B_TRUE);
328
329 smb2_send_reply(sr);
330
331 return (rc);
332 }
333
334 /*
335 * Common parts of SMB2 Negotiate, used for both the
336 * SMB1-to-SMB2 style, and straight SMB2 style.
337 * Do negotiation decisions and encode the reply.
338 * The caller does the network send.
339 *
340 * Return value is 0 for success, else error.
341 */
342 static int
343 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
344 {
345 timestruc_t boot_tv, now_tv;
346 smb_session_t *s = sr->session;
347 int rc;
348 uint32_t max_rwsize;
349 uint16_t secmode;
350
351 /*
352 * Negotiation itself. First the Security Mode.
353 */
354 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
355 if (sr->sr_cfg->skc_signing_required)
356 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
357 s->srv_secmode = secmode;
358
359 s->cmd_max_bytes = smb2_tcp_bufsize;
360 s->reply_max_bytes = smb2_tcp_bufsize;
361
362 /*
363 * "The number of credits held by the client MUST be considered
364 * as 1 when the connection is established." [MS-SMB2]
365 * We leave credits at 1 until the first successful
366 * session setup is completed.
367 */
368 s->s_cur_credits = s->s_max_credits = 1;
369 sr->smb2_credit_response = 1;
370
371 boot_tv.tv_sec = smb_get_boottime();
372 boot_tv.tv_nsec = 0;
373 now_tv.tv_sec = gethrestime_sec();
374 now_tv.tv_nsec = 0;
375
376 /*
377 * If the version is 0x2FF, we haven't completed negotiate.
378 * Don't initialize until we have our final request.
379 */
380 if (version != 0x2FF)
381 smb2_sign_init_mech(s);
382
383 /*
384 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
385 *
386 * The SMB2.x capabilities are returned without regard for
387 * what capabilities the client provided in the request.
388 * The SMB3.x capabilities returned are the traditional
389 * logical AND of server and client capabilities.
390 *
391 * One additional check: If KCF is missing something we
392 * require for encryption, turn off that capability.
393 */
394 if (s->dialect < SMB_VERS_2_1) {
395 /* SMB 2.002 */
396 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
397 } else if (s->dialect < SMB_VERS_3_0) {
398 /* SMB 2.x */
399 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
400 } else {
401 /* SMB 3.0 or later */
402 s->srv_cap = smb2srv_capabilities &
403 (SMB_2X_CAPS | s->capabilities);
404 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
405 smb3_encrypt_init_mech(s) != 0) {
406 s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
407 }
408 }
409
410 /*
411 * See notes above smb2_max_rwsize, smb2_old_rwsize
412 */
413 if (s->capabilities & SMB2_CAP_LARGE_MTU)
414 max_rwsize = smb2_max_rwsize;
415 else
416 max_rwsize = smb2_old_rwsize;
417
418 rc = smb_mbc_encodef(
419 &sr->reply,
420 "wwww#cllllTTwwl#c",
421 65, /* StructSize */ /* w */
422 s->srv_secmode, /* w */
423 version, /* w */
424 0, /* reserved */ /* w */
425 UUID_LEN, /* # */
426 &s->s_cfg.skc_machine_uuid, /* c */
427 s->srv_cap, /* l */
428 smb2_max_trans, /* l */
429 max_rwsize, /* l */
430 max_rwsize, /* l */
431 &now_tv, /* T */
432 &boot_tv, /* T */
433 128, /* SecBufOff */ /* w */
434 sr->sr_cfg->skc_negtok_len, /* w */
435 0, /* reserved */ /* l */
436 sr->sr_cfg->skc_negtok_len, /* # */
437 sr->sr_cfg->skc_negtok); /* c */
438
439 /* smb2_send_reply(sr); in caller */
440
441 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
442 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
443 sizeof (smb2_tcp_bufsize), CRED());
444 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
445 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
446 sizeof (smb2_tcp_bufsize), CRED());
447
448 return (rc);
449 }
450
451 /*
452 * SMB2 Dispatch table handler, which will run if we see an
453 * SMB2_NEGOTIATE after the initial negotiation is done.
454 * That would be a protocol error.
455 */
456 smb_sdrc_t
457 smb2_negotiate(smb_request_t *sr)
458 {
459 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
460 return (SDRC_ERROR);
461 }
462
463 /*
464 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
465 */
466 uint32_t
467 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl)
468 {
469 smb_session_t *s = sr->session;
470 int rc;
471
472 /*
473 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
474 * and verify that the original negotiate was not modified.
475 * The request MUST be signed, and we MUST validate the signature.
476 *
477 * One interesting requirement here is that we MUST reply
478 * with exactly the same information as we returned in our
479 * original reply to the SMB2 negotiate on this session.
480 * If we don't the client closes the connection.
481 */
482
483 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */
484 uint32_t capabilities;
485 uint16_t secmode, num_dialects, dialects[8];
486 uint8_t clnt_guid[16];
487
488 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0)
489 goto drop;
490
491 if (fsctl->InputCount < 24)
492 goto drop;
493
494 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww",
495 &capabilities, /* l */
496 &clnt_guid, /* 16c */
497 &secmode, /* w */
498 &num_dialects); /* w */
499
500 if (num_dialects == 0 || num_dialects > 8)
501 goto drop;
502 if (secmode != s->cli_secmode)
503 goto drop;
504 if (capabilities != s->capabilities)
505 goto drop;
506 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0)
507 goto drop;
508
509 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects)))
510 goto drop;
511
512 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects);
513 if (rc != 0)
514 goto drop;
515
516 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect)
517 goto drop;
518
519 rc = smb_mbc_encodef(
520 fsctl->out_mbc, "l#cww",
521 s->srv_cap, /* l */
522 UUID_LEN, /* # */
523 &s->s_cfg.skc_machine_uuid, /* c */
524 s->srv_secmode, /* w */
525 s->dialect); /* w */
526 if (rc == 0)
527 return (rc);
528
529 drop:
530 smb_session_disconnect(s);
531 return (NT_STATUS_ACCESS_DENIED);
532 }