1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved. 14 * Copyright 2019 RackTop Systems. 15 */ 16 17 /* 18 * Dispatch function for SMB2_NEGOTIATE 19 */ 20 21 #include <smbsrv/smb2_kproto.h> 22 #include <smbsrv/smb2.h> 23 24 /* 25 * Note from [MS-SMB2] Sec. 2.2.3: Windows servers return 26 * invalid parameter if the dialect count is greater than 64 27 * This is here (and not in smb2.h) because this is technically 28 * an implementation detail, not protocol specification. 29 */ 30 #define SMB2_NEGOTIATE_MAX_DIALECTS 64 31 32 static int smb2_negotiate_common(smb_request_t *, uint16_t); 33 34 /* List of supported capabilities. Can be patched for testing. */ 35 uint32_t smb2srv_capabilities = 36 SMB2_CAP_DFS | 37 SMB2_CAP_LEASING | 38 SMB2_CAP_LARGE_MTU | 39 SMB2_CAP_PERSISTENT_HANDLES | 40 SMB2_CAP_ENCRYPTION; 41 42 /* These are the only capabilities defined for SMB2.X */ 43 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU) 44 45 /* 46 * These are not intended as customer tunables, but dev. & test folks 47 * might want to adjust them (with caution). 48 * 49 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 50 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 51 * This is also used as a "sanity limit" for internal send/reply message 52 * allocations. Note that with compounding SMB2 messages may contain 53 * multiple requests/responses. This size should be large enough for 54 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 55 * 56 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 57 * the client the largest read and write request size we'll support. 58 * For now, we're using contiguous allocations, so keep this at 64KB 59 * so that (even with message overhead) allocations stay below 128KB, 60 * avoiding kmem_alloc -> page_create_va thrashing. 61 * 62 * smb2_max_trans is the largest "transact" send or receive, which is 63 * used for directory listings and info set/get operations. 64 */ 65 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 66 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 67 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 68 69 /* 70 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 71 * (including all clients using dialect < SMB 2.1), use a "conservative" value 72 * for max r/w size because some older clients misbehave with larger values. 73 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 74 * Support) as the minimum so we'll use that. 75 */ 76 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 77 78 /* 79 * List of all SMB2 versions we implement. Note that the 80 * versions we support may be limited by the 81 * _cfg.skc_max_protocol and min_protocol settings. 82 */ 83 static uint16_t smb2_versions[] = { 84 0x202, /* SMB 2.002 */ 85 0x210, /* SMB 2.1 */ 86 0x300, /* SMB 3.0 */ 87 0x302, /* SMB 3.02 */ 88 }; 89 static uint16_t smb2_nversions = 90 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 91 92 static boolean_t 93 smb2_supported_version(smb_session_t *s, uint16_t version) 94 { 95 int i; 96 97 if (version > s->s_cfg.skc_max_protocol || 98 version < s->s_cfg.skc_min_protocol) 99 return (B_FALSE); 100 for (i = 0; i < smb2_nversions; i++) 101 if (version == smb2_versions[i]) 102 return (B_TRUE); 103 return (B_FALSE); 104 } 105 106 /* 107 * Helper for the (SMB1) smb_com_negotiate(). This is the 108 * very unusual protocol interaction where an SMB1 negotiate 109 * gets an SMB2 negotiate response. This is the normal way 110 * clients first find out if the server supports SMB2. 111 * 112 * Note: This sends an SMB2 reply _itself_ and then returns 113 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 114 * Also, this is called directly from the reader thread, so 115 * we know this is the only thread using this session. 116 * 117 * The caller frees this request. 118 */ 119 smb_sdrc_t 120 smb1_negotiate_smb2(smb_request_t *sr) 121 { 122 smb_session_t *s = sr->session; 123 smb_arg_negotiate_t *negprot = sr->sr_negprot; 124 uint16_t smb2_version; 125 126 /* 127 * Note: In the SMB1 negotiate command handler, we 128 * agreed with one of the SMB2 dialects. If that 129 * dialect was "SMB 2.002", we'll respond here with 130 * version 0x202 and negotiation is done. If that 131 * dialect was "SMB 2.???", we'll respond here with 132 * the "wildcard" version 0x2FF, and the client will 133 * come back with an SMB2 negotiate. 134 */ 135 switch (negprot->ni_dialect) { 136 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 137 smb2_version = SMB_VERS_2_002; 138 s->dialect = smb2_version; 139 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 140 /* Allow normal SMB2 requests now. */ 141 s->newrq_func = smb2sr_newrq; 142 break; 143 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 144 /* 145 * Expecting an SMB2 negotiate next, so keep the 146 * initial s->newrq_func. 147 */ 148 smb2_version = 0x2FF; 149 break; 150 default: 151 return (SDRC_DROP_VC); 152 } 153 154 /* 155 * We did not decode an SMB2 header, so make sure 156 * the SMB2 header fields are initialized. 157 * (Most are zero from smb_request_alloc.) 158 * Also, the SMB1 common dispatch code reserved space 159 * for an SMB1 header, which we need to undo here. 160 */ 161 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 162 sr->smb2_cmd_code = SMB2_NEGOTIATE; 163 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 164 165 (void) smb2_encode_header(sr, B_FALSE); 166 if (smb2_negotiate_common(sr, smb2_version) != 0) 167 sr->smb2_status = NT_STATUS_INTERNAL_ERROR; 168 if (sr->smb2_status != 0) 169 smb2sr_put_error(sr, sr->smb2_status); 170 (void) smb2_encode_header(sr, B_TRUE); 171 172 smb2_send_reply(sr); 173 174 /* 175 * We sent the reply, so tell the SMB1 dispatch 176 * it should NOT (also) send a reply. 177 */ 178 return (SDRC_NO_REPLY); 179 } 180 181 static uint16_t 182 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[], 183 uint16_t version_cnt) 184 { 185 uint16_t best_version = 0; 186 int i; 187 188 for (i = 0; i < version_cnt; i++) 189 if (smb2_supported_version(s, cl_versions[i]) && 190 best_version < cl_versions[i]) 191 best_version = cl_versions[i]; 192 193 return (best_version); 194 } 195 196 /* 197 * SMB2 Negotiate gets special handling. This is called directly by 198 * the reader thread (see smbsr_newrq_initial) with what _should_ be 199 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 200 * when this is called, so this needs to check the SMB command, 201 * if it's Negotiate execute it, then send the reply, etc. 202 * 203 * Since this is called directly from the reader thread, we 204 * know this is the only thread currently using this session. 205 * This has to duplicate some of what smb2sr_work does as a 206 * result of bypassing the normal dispatch mechanism. 207 * 208 * The caller always frees this request. 209 * 210 * Return value is 0 for success, and anything else will 211 * terminate the reader thread (drop the connection). 212 */ 213 int 214 smb2_newrq_negotiate(smb_request_t *sr) 215 { 216 smb_session_t *s = sr->session; 217 int rc; 218 uint32_t status = 0; 219 uint16_t struct_size; 220 uint16_t best_version; 221 uint16_t version_cnt; 222 uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS]; 223 224 sr->smb2_cmd_hdr = sr->command.chain_offset; 225 rc = smb2_decode_header(sr); 226 if (rc != 0) 227 return (rc); 228 229 if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) 230 return (-1); 231 232 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 233 (sr->smb2_next_command != 0)) 234 return (-1); 235 236 /* 237 * Decode SMB2 Negotiate (fixed-size part) 238 */ 239 rc = smb_mbc_decodef( 240 &sr->command, "www..l16c8.", 241 &struct_size, /* w */ 242 &version_cnt, /* w */ 243 &s->cli_secmode, /* w */ 244 /* reserved (..) */ 245 &s->capabilities, /* l */ 246 s->clnt_uuid); /* 16c */ 247 /* start_time 8. */ 248 if (rc != 0) 249 return (rc); 250 if (struct_size != 36) 251 return (-1); 252 253 /* 254 * Decode SMB2 Negotiate (variable part) 255 * 256 * Be somewhat tolerant while decoding the variable part 257 * so we can return errors instead of dropping the client. 258 * Will limit decoding to the size of cl_versions here, 259 * and do the error checks on version_cnt after the 260 * dtrace start probe. 261 */ 262 if (version_cnt > 0 && 263 version_cnt <= SMB2_NEGOTIATE_MAX_DIALECTS && 264 smb_mbc_decodef(&sr->command, "#w", version_cnt, 265 cl_versions) != 0) { 266 /* decode error; force an error below */ 267 version_cnt = 0; 268 } 269 270 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr); 271 272 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR; 273 (void) smb2_encode_header(sr, B_FALSE); 274 275 /* 276 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 277 * "If the SMB2 header of the SMB2 NEGOTIATE request has the 278 * SMB2_FLAGS_SIGNED bit set in the Flags field, the server 279 * MUST fail the request with STATUS_INVALID_PARAMETER." 280 */ 281 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) { 282 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 283 status = NT_STATUS_INVALID_PARAMETER; 284 goto errout; 285 } 286 287 /* 288 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request 289 * "If the DialectCount of the SMB2 NEGOTIATE Request is 0, the 290 * server MUST fail the request with STATUS_INVALID_PARAMETER." 291 */ 292 if (version_cnt == 0 || 293 version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) { 294 status = NT_STATUS_INVALID_PARAMETER; 295 goto errout; 296 } 297 298 /* 299 * The client offers an array of protocol versions it 300 * supports, which we have decoded into cl_versions[]. 301 * We walk the array and pick the highest supported. 302 * 303 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request 304 * "If a common dialect is not found, the server MUST fail 305 * the request with STATUS_NOT_SUPPORTED." 306 */ 307 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt); 308 if (best_version == 0) { 309 status = NT_STATUS_NOT_SUPPORTED; 310 goto errout; 311 } 312 s->dialect = best_version; 313 314 /* Allow normal SMB2 requests now. */ 315 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 316 s->newrq_func = smb2sr_newrq; 317 318 if (smb2_negotiate_common(sr, best_version) != 0) 319 status = NT_STATUS_INTERNAL_ERROR; 320 321 errout: 322 sr->smb2_status = status; 323 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr); 324 325 if (sr->smb2_status != 0) 326 smb2sr_put_error(sr, sr->smb2_status); 327 (void) smb2_encode_header(sr, B_TRUE); 328 329 smb2_send_reply(sr); 330 331 return (rc); 332 } 333 334 /* 335 * Common parts of SMB2 Negotiate, used for both the 336 * SMB1-to-SMB2 style, and straight SMB2 style. 337 * Do negotiation decisions and encode the reply. 338 * The caller does the network send. 339 * 340 * Return value is 0 for success, else error. 341 */ 342 static int 343 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 344 { 345 timestruc_t boot_tv, now_tv; 346 smb_session_t *s = sr->session; 347 int rc; 348 uint32_t max_rwsize; 349 uint16_t secmode; 350 351 /* 352 * Negotiation itself. First the Security Mode. 353 */ 354 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 355 if (sr->sr_cfg->skc_signing_required) 356 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 357 s->srv_secmode = secmode; 358 359 s->cmd_max_bytes = smb2_tcp_bufsize; 360 s->reply_max_bytes = smb2_tcp_bufsize; 361 362 /* 363 * "The number of credits held by the client MUST be considered 364 * as 1 when the connection is established." [MS-SMB2] 365 * We leave credits at 1 until the first successful 366 * session setup is completed. 367 */ 368 s->s_cur_credits = s->s_max_credits = 1; 369 sr->smb2_credit_response = 1; 370 371 boot_tv.tv_sec = smb_get_boottime(); 372 boot_tv.tv_nsec = 0; 373 now_tv.tv_sec = gethrestime_sec(); 374 now_tv.tv_nsec = 0; 375 376 /* 377 * If the version is 0x2FF, we haven't completed negotiate. 378 * Don't initialize until we have our final request. 379 */ 380 if (version != 0x2FF) 381 smb2_sign_init_mech(s); 382 383 /* 384 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request 385 * 386 * The SMB2.x capabilities are returned without regard for 387 * what capabilities the client provided in the request. 388 * The SMB3.x capabilities returned are the traditional 389 * logical AND of server and client capabilities. 390 * 391 * One additional check: If KCF is missing something we 392 * require for encryption, turn off that capability. 393 */ 394 if (s->dialect < SMB_VERS_2_1) { 395 /* SMB 2.002 */ 396 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS; 397 } else if (s->dialect < SMB_VERS_3_0) { 398 /* SMB 2.x */ 399 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS; 400 } else { 401 /* SMB 3.0 or later */ 402 s->srv_cap = smb2srv_capabilities & 403 (SMB_2X_CAPS | s->capabilities); 404 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 && 405 smb3_encrypt_init_mech(s) != 0) { 406 s->srv_cap &= ~SMB2_CAP_ENCRYPTION; 407 } 408 } 409 410 /* 411 * See notes above smb2_max_rwsize, smb2_old_rwsize 412 */ 413 if (s->capabilities & SMB2_CAP_LARGE_MTU) 414 max_rwsize = smb2_max_rwsize; 415 else 416 max_rwsize = smb2_old_rwsize; 417 418 rc = smb_mbc_encodef( 419 &sr->reply, 420 "wwww#cllllTTwwl#c", 421 65, /* StructSize */ /* w */ 422 s->srv_secmode, /* w */ 423 version, /* w */ 424 0, /* reserved */ /* w */ 425 UUID_LEN, /* # */ 426 &s->s_cfg.skc_machine_uuid, /* c */ 427 s->srv_cap, /* l */ 428 smb2_max_trans, /* l */ 429 max_rwsize, /* l */ 430 max_rwsize, /* l */ 431 &now_tv, /* T */ 432 &boot_tv, /* T */ 433 128, /* SecBufOff */ /* w */ 434 sr->sr_cfg->skc_negtok_len, /* w */ 435 0, /* reserved */ /* l */ 436 sr->sr_cfg->skc_negtok_len, /* # */ 437 sr->sr_cfg->skc_negtok); /* c */ 438 439 /* smb2_send_reply(sr); in caller */ 440 441 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 442 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 443 sizeof (smb2_tcp_bufsize), CRED()); 444 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 445 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 446 sizeof (smb2_tcp_bufsize), CRED()); 447 448 return (rc); 449 } 450 451 /* 452 * SMB2 Dispatch table handler, which will run if we see an 453 * SMB2_NEGOTIATE after the initial negotiation is done. 454 * That would be a protocol error. 455 */ 456 smb_sdrc_t 457 smb2_negotiate(smb_request_t *sr) 458 { 459 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 460 return (SDRC_ERROR); 461 } 462 463 /* 464 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 465 */ 466 uint32_t 467 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) 468 { 469 smb_session_t *s = sr->session; 470 int rc; 471 472 /* 473 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 474 * and verify that the original negotiate was not modified. 475 * The request MUST be signed, and we MUST validate the signature. 476 * 477 * One interesting requirement here is that we MUST reply 478 * with exactly the same information as we returned in our 479 * original reply to the SMB2 negotiate on this session. 480 * If we don't the client closes the connection. 481 */ 482 483 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */ 484 uint32_t capabilities; 485 uint16_t secmode, num_dialects, dialects[8]; 486 uint8_t clnt_guid[16]; 487 488 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0) 489 goto drop; 490 491 if (fsctl->InputCount < 24) 492 goto drop; 493 494 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww", 495 &capabilities, /* l */ 496 &clnt_guid, /* 16c */ 497 &secmode, /* w */ 498 &num_dialects); /* w */ 499 500 if (num_dialects == 0 || num_dialects > 8) 501 goto drop; 502 if (secmode != s->cli_secmode) 503 goto drop; 504 if (capabilities != s->capabilities) 505 goto drop; 506 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0) 507 goto drop; 508 509 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects))) 510 goto drop; 511 512 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects); 513 if (rc != 0) 514 goto drop; 515 516 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect) 517 goto drop; 518 519 rc = smb_mbc_encodef( 520 fsctl->out_mbc, "l#cww", 521 s->srv_cap, /* l */ 522 UUID_LEN, /* # */ 523 &s->s_cfg.skc_machine_uuid, /* c */ 524 s->srv_secmode, /* w */ 525 s->dialect); /* w */ 526 if (rc == 0) 527 return (rc); 528 529 drop: 530 smb_session_disconnect(s); 531 return (NT_STATUS_ACCESS_DENIED); 532 }