1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 * Copyright 2020 RackTop Systems, Inc.
15 */
16
17 /*
18 * Dispatch function for SMB2_NEGOTIATE
19 */
20
21 #include <smbsrv/smb2_kproto.h>
22 #include <smbsrv/smb2.h>
23 #include <sys/random.h>
24
25 /*
26 * Note from [MS-SMB2] Sec. 2.2.3: Windows servers return
27 * invalid parameter if the dialect count is greater than 64
28 * This is here (and not in smb2.h) because this is technically
29 * an implementation detail, not protocol specification.
30 */
31 #define SMB2_NEGOTIATE_MAX_DIALECTS 64
32
33 static int smb2_negotiate_common(smb_request_t *, uint16_t);
34
35 /* List of supported capabilities. Can be patched for testing. */
36 uint32_t smb2srv_capabilities =
37 SMB2_CAP_DFS |
38 SMB2_CAP_LEASING |
39 SMB2_CAP_LARGE_MTU |
40 SMB2_CAP_PERSISTENT_HANDLES |
41 SMB2_CAP_ENCRYPTION;
42
43 /* These are the only capabilities defined for SMB2.X */
44 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU)
45
46 /*
47 * These are not intended as customer tunables, but dev. & test folks
48 * might want to adjust them (with caution).
49 *
50 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
51 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
52 * This is also used as a "sanity limit" for internal send/reply message
53 * allocations. Note that with compounding SMB2 messages may contain
54 * multiple requests/responses. This size should be large enough for
55 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
56 *
57 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
58 * the client the largest read and write request size we'll support.
59 * For now, we're using contiguous allocations, so keep this at 64KB
60 * so that (even with message overhead) allocations stay below 128KB,
61 * avoiding kmem_alloc -> page_create_va thrashing.
62 *
63 * smb2_max_trans is the largest "transact" send or receive, which is
64 * used for directory listings and info set/get operations.
65 */
66 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
67 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */
68 uint32_t smb2_max_trans = (1<<16); /* 64KB */
69
70 /*
71 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
72 * (including all clients using dialect < SMB 2.1), use a "conservative" value
73 * for max r/w size because some older clients misbehave with larger values.
74 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
75 * Support) as the minimum so we'll use that.
76 */
77 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
78
79 /*
80 * List of all SMB2 versions we implement. Note that the
81 * versions we support may be limited by the
82 * _cfg.skc_max_protocol and min_protocol settings.
83 */
84 static uint16_t smb2_versions[] = {
85 0x202, /* SMB 2.002 */
86 0x210, /* SMB 2.1 */
87 0x300, /* SMB 3.0 */
88 0x302, /* SMB 3.02 */
89 0x311, /* SMB 3.11 */
90 };
91 static uint16_t smb2_nversions =
92 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
93
94 static boolean_t
95 smb2_supported_version(smb_session_t *s, uint16_t version)
96 {
97 int i;
98
99 if (version > s->s_cfg.skc_max_protocol ||
100 version < s->s_cfg.skc_min_protocol)
101 return (B_FALSE);
102 for (i = 0; i < smb2_nversions; i++)
103 if (version == smb2_versions[i])
104 return (B_TRUE);
105 return (B_FALSE);
106 }
107
108 /*
109 * Helper for the (SMB1) smb_com_negotiate(). This is the
110 * very unusual protocol interaction where an SMB1 negotiate
111 * gets an SMB2 negotiate response. This is the normal way
112 * clients first find out if the server supports SMB2.
113 *
114 * Note: This sends an SMB2 reply _itself_ and then returns
115 * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
116 * Also, this is called directly from the reader thread, so
117 * we know this is the only thread using this session.
118 *
119 * The caller frees this request.
120 */
121 smb_sdrc_t
122 smb1_negotiate_smb2(smb_request_t *sr)
123 {
124 smb_session_t *s = sr->session;
125 smb_arg_negotiate_t *negprot = sr->sr_negprot;
126 uint16_t smb2_version;
127
128 /*
129 * Note: In the SMB1 negotiate command handler, we
130 * agreed with one of the SMB2 dialects. If that
131 * dialect was "SMB 2.002", we'll respond here with
132 * version 0x202 and negotiation is done. If that
133 * dialect was "SMB 2.???", we'll respond here with
134 * the "wildcard" version 0x2FF, and the client will
135 * come back with an SMB2 negotiate.
136 */
137 switch (negprot->ni_dialect) {
138 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
139 smb2_version = SMB_VERS_2_002;
140 s->dialect = smb2_version;
141 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
142 /* Allow normal SMB2 requests now. */
143 s->newrq_func = smb2sr_newrq;
144 break;
145 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
146 /*
147 * Expecting an SMB2 negotiate next, so keep the
148 * initial s->newrq_func.
149 */
150 smb2_version = 0x2FF;
151 break;
152 default:
153 return (SDRC_DROP_VC);
154 }
155
156 /*
157 * We did not decode an SMB2 header, so make sure
158 * the SMB2 header fields are initialized.
159 * (Most are zero from smb_request_alloc.)
160 * Also, the SMB1 common dispatch code reserved space
161 * for an SMB1 header, which we need to undo here.
162 */
163 sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
164 sr->smb2_cmd_code = SMB2_NEGOTIATE;
165 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
166
167 (void) smb2_encode_header(sr, B_FALSE);
168 if (smb2_negotiate_common(sr, smb2_version) != 0)
169 sr->smb2_status = NT_STATUS_INTERNAL_ERROR;
170 if (sr->smb2_status != 0)
171 smb2sr_put_error(sr, sr->smb2_status);
172 (void) smb2_encode_header(sr, B_TRUE);
173
174 smb2_send_reply(sr);
175
176 /*
177 * We sent the reply, so tell the SMB1 dispatch
178 * it should NOT (also) send a reply.
179 */
180 return (SDRC_NO_REPLY);
181 }
182
183 static uint16_t
184 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[],
185 uint16_t version_cnt)
186 {
187 uint16_t best_version = 0;
188 int i;
189
190 for (i = 0; i < version_cnt; i++)
191 if (smb2_supported_version(s, cl_versions[i]) &&
192 best_version < cl_versions[i])
193 best_version = cl_versions[i];
194
195 return (best_version);
196 }
197
198 /*
199 * SMB2 Negotiate gets special handling. This is called directly by
200 * the reader thread (see smbsr_newrq_initial) with what _should_ be
201 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
202 * when this is called, so this needs to check the SMB command,
203 * if it's Negotiate execute it, then send the reply, etc.
204 *
205 * Since this is called directly from the reader thread, we
206 * know this is the only thread currently using this session.
207 * This has to duplicate some of what smb2sr_work does as a
208 * result of bypassing the normal dispatch mechanism.
209 *
210 * The caller always frees this request.
211 *
212 * Return value is 0 for success, and anything else will
213 * terminate the reader thread (drop the connection).
214 */
215 typedef struct smb31_preauth_integrity_caps_ctx {
216 uint16_t hash_count;
217 uint16_t salt_len;
218 char *salt;
219 } smb31_preauth_integrity_caps_ctx_t;
220
221 typedef struct smb31_encryption_caps_ctx {
222 uint16_t cipher_count;
223 } smb31_encrypt_caps_ctx_t;
224
225 enum smb3_neg_ctx_type {
226 SMB31_PREAUTH_INTEGRITY_CAPS = 1,
227 SMB31_ENCRYPTION_CAPS = 2
228 };
229
230 typedef struct smb3_negotiate_context {
231 uint16_t type;
232 uint16_t datalen;
233 uint32_t _resrvd;
234 char data[];
235 } smb3_neg_ctx_t;
236
237 typedef struct smb3_negotiate_context_info {
238 uint32_t offset;
239 uint16_t count;
240 uint16_t _resrvd;
241 } smb3_neg_ctx_info_t;
242
243 #define NEG_CTX_INFO_OFFSET (SMB2_HDR_SIZE + 28)
244 #define STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP (0xC05D0000)
245
246 #define STATUS_PREAUTH_HASH_OVERLAP \
247 STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP
248
249 /*
250 * This function should be called only for dialect >= 0x311
251 * Negotiate context list should contain exactly one
252 * smb31_preauth_INTEGRITY_CAPS context.
253 * Otherwise STATUS_INVALID_PARAMETER.
254 * It should contain at least 1 hash algorith what server does support.
255 * Otehrwise STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP.
256 */
257 static uint32_t
258 smb31_decode_neg_ctxs(smb_request_t *sr, smb_session_t *s)
259 {
260 uint32_t status = 0;
261 int found_preauth_ctx = 0;
262 boolean_t preauth_sha512_enabled = B_FALSE;
263 boolean_t encrypt_ccm_enabled = B_FALSE;
264 boolean_t encrypt_gcm_enabled = B_FALSE;
265 uint16_t cipher = sr->sr_server->sv_cfg.skc_encrypt_cipher;
266 smb3_neg_ctx_info_t neg_ctx_info;
267 int cnt, i;
268 int rc;
269
270 sr->command.chain_offset = NEG_CTX_INFO_OFFSET;
271
272 rc = smb_mbc_decodef(&sr->command, "lw2.",
273 &neg_ctx_info.offset, /* l */
274 &neg_ctx_info.count); /* w */
275 if (rc != 0) {
276 status = NT_STATUS_INVALID_PARAMETER;
277 goto errout;
278 }
279
280 /*
281 * There should be exactly 1 SMB31_PREAUTH_INTEGRITY_CAPS negotiate ctx.
282 * SMB31_ENCRYPTION_CAPS is optional one.
283 */
284 cnt = neg_ctx_info.count;
285 if (cnt < 1) {
286 status = NT_STATUS_INVALID_PARAMETER;
287 goto errout;
288 }
289
290 sr->command.chain_offset = neg_ctx_info.offset;
291
292 /*
293 * Parse negotiate contexts.
294 */
295 for (i = 0; i < cnt; i++) {
296 smb3_neg_ctx_t neg_ctx;
297
298 sr->command.chain_offset =
299 P2ROUNDUP(sr->command.chain_offset, 8);
300
301 rc = smb_mbc_decodef(
302 &sr->command, "ww4.",
303 &neg_ctx.type, /* w */
304 &neg_ctx.datalen); /* w */
305 if (rc != 0) {
306 status = NT_STATUS_INVALID_PARAMETER;
307 goto errout;
308 }
309
310 if (neg_ctx.type == SMB31_PREAUTH_INTEGRITY_CAPS) {
311 smb31_preauth_integrity_caps_ctx_t pic_ctx;
312
313 if (found_preauth_ctx++ != 0) {
314 status = NT_STATUS_INVALID_PARAMETER;
315 goto errout;
316 }
317
318 rc = smb_mbc_decodef(
319 &sr->command, "ww",
320 &pic_ctx.hash_count, /* w */
321 &pic_ctx.salt_len); /* w */
322 if (rc != 0) {
323 status = NT_STATUS_INVALID_PARAMETER;
324 goto errout;
325 }
326
327 /*
328 * In SMB 0x311 there should be exactly 1 preauth
329 * negotiate context, and there should be exactly 1
330 * hash value in the list - SHA512.
331 */
332 if (pic_ctx.hash_count != 1) {
333 status = NT_STATUS_INVALID_PARAMETER;
334 goto errout;
335 }
336
337 for (int k = 0; k < pic_ctx.hash_count; k++) {
338 uint16_t hash_id;
339
340 rc = smb_mbc_decodef(
341 &sr->command, "w",
342 &hash_id); /* w */
343
344 switch (hash_id) {
345 case SMB3_HASH_SHA512:
346 preauth_sha512_enabled = B_TRUE;
347 break;
348 default:
349 ;
350 }
351 }
352
353 rc = smb_mbc_decodef(
354 &sr->command, "#.",
355 pic_ctx.salt_len);
356
357 } else if (neg_ctx.type == SMB31_ENCRYPTION_CAPS) {
358 smb31_encrypt_caps_ctx_t enc_ctx;
359
360 rc = smb_mbc_decodef(
361 &sr->command, "w",
362 &enc_ctx.cipher_count); /* w */
363 if (rc != 0) {
364 status = NT_STATUS_INVALID_PARAMETER;
365 goto errout;
366 }
367
368 for (int k = 0; k < enc_ctx.cipher_count; k++) {
369 uint16_t cipher_id;
370
371 rc = smb_mbc_decodef(
372 &sr->command, "w",
373 &cipher_id); /* w */
374
375 switch (cipher_id) {
376 case SMB3_CIPHER_AES128_CCM:
377 encrypt_ccm_enabled = B_TRUE;
378 break;
379 case SMB3_CIPHER_AES128_GCM:
380 encrypt_gcm_enabled = B_TRUE;
381 break;
382 default:
383 ;
384 }
385 }
386 } else {
387 /* Skip unsupported context */
388 ASSERT0(smb_mbc_decodef(
389 &sr->command, "#.",
390 neg_ctx.datalen));
391 }
392 }
393
394 /* Not found mandatory SMB31_PREAUTH_INTEGRITY_CAPS ctx */
395 if (!found_preauth_ctx)
396 status = NT_STATUS_INVALID_PARAMETER;
397
398 if (!preauth_sha512_enabled) {
399 status = STATUS_PREAUTH_HASH_OVERLAP;
400 goto errout;
401 }
402
403 s->smb31_preauth_hashid = SMB3_HASH_SHA512;
404
405 switch (cipher) {
406 case SMB3_CIPHER_AES128_GCM:
407 if (encrypt_gcm_enabled) {
408 s->smb31_enc_cipherid = cipher;
409 break;
410 }
411 /* FALLTHROUGH */
412 case SMB3_CIPHER_AES128_CCM:
413 if (encrypt_ccm_enabled) {
414 s->smb31_enc_cipherid = cipher;
415 break;
416 }
417 /* FALLTHROUGH */
418 default:
419 s->smb31_enc_cipherid = 0;
420 }
421
422 errout:
423 return (status);
424 }
425
426 #define SMB31_PREAUTH_CTX_SALT_LEN 32
427
428 static int
429 smb31_encode_neg_ctxs(smb_request_t *sr, smb_session_t *s)
430 {
431 uint8_t salt[SMB31_PREAUTH_CTX_SALT_LEN];
432 uint16_t salt_len = SMB31_PREAUTH_CTX_SALT_LEN;
433 uint32_t preauth_ctx_len = 6 + salt_len;
434 uint32_t enc_ctx_len = 4;
435 uint32_t neg_ctx_off = SMB2_HDR_SIZE + 64 +
436 P2ROUNDUP(sr->sr_cfg->skc_negtok_len, 8);
437 uint32_t rc;
438
439 sr->reply.chain_offset = P2ROUNDUP(sr->reply.chain_offset, 8);
440
441 ASSERT3S(neg_ctx_off, ==, sr->reply.chain_offset);
442
443 (void) random_get_pseudo_bytes(salt, sizeof (salt));
444
445 rc = smb_mbc_encodef(
446 &sr->reply, "ww4.",
447 SMB31_PREAUTH_INTEGRITY_CAPS,
448 preauth_ctx_len
449 /* 4. */); /* reserverd */
450
451 ASSERT0(rc);
452 rc = smb_mbc_encodef(
453 &sr->reply, "www#c",
454 1, /* hash algo count */
455 salt_len, /* salt length */
456 s->smb31_preauth_hashid, /* hash id */
457 salt_len, /* salt length */
458 salt);
459
460 /* aligned on 8-bytes boundary */
461 if (rc != 0 || s->smb31_enc_cipherid == 0) {
462 cmn_err(CE_NOTE, "Encryption is not supported");
463 return (rc);
464 }
465
466 if (sr->reply.chain_offset % 8 != 0) {
467 sr->reply.chain_offset = P2ROUNDUP(sr->reply.chain_offset, 8);
468 }
469
470 rc = smb_mbc_encodef(
471 &sr->reply, "ww4.",
472 SMB31_ENCRYPTION_CAPS,
473 enc_ctx_len
474 /* 4. */); /* reserverd */
475
476 rc = smb_mbc_encodef(
477 &sr->reply, "ww",
478 1, /* cipher count */
479 s->smb31_enc_cipherid); /* encrypt. cipher id */
480
481 return (rc);
482 }
483
484 int
485 smb2_newrq_negotiate(smb_request_t *sr)
486 {
487 smb_session_t *s = sr->session;
488 int rc;
489 uint32_t status = 0;
490 uint16_t struct_size;
491 uint16_t best_version;
492 uint16_t version_cnt;
493 uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
494
495 sr->smb2_cmd_hdr = sr->command.chain_offset;
496 rc = smb2_decode_header(sr);
497 if (rc != 0)
498 return (rc);
499
500 if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
501 return (-1);
502
503 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
504 (sr->smb2_next_command != 0))
505 return (-1);
506
507 /*
508 * Decode SMB2 Negotiate (fixed-size part)
509 */
510 rc = smb_mbc_decodef(
511 &sr->command, "www..l16c8.",
512 &struct_size, /* w */
513 &version_cnt, /* w */
514 &s->cli_secmode, /* w */
515 /* reserved (..) */
516 &s->capabilities, /* l */
517 s->clnt_uuid); /* 16c */
518 /* start_time 8. */
519 if (rc != 0)
520 return (rc);
521 if (struct_size != 36)
522 return (-1);
523
524 /*
525 * Decode SMB2 Negotiate (variable part)
526 *
527 * Be somewhat tolerant while decoding the variable part
528 * so we can return errors instead of dropping the client.
529 * Will limit decoding to the size of cl_versions here,
530 * and do the error checks on version_cnt after the
531 * dtrace start probe.
532 */
533 if (version_cnt > 0 &&
534 version_cnt <= SMB2_NEGOTIATE_MAX_DIALECTS &&
535 smb_mbc_decodef(&sr->command, "#w", version_cnt,
536 cl_versions) != 0) {
537 /* decode error; force an error below */
538 version_cnt = 0;
539 }
540
541 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr);
542
543 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
544 (void) smb2_encode_header(sr, B_FALSE);
545
546 /*
547 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
548 * "If the SMB2 header of the SMB2 NEGOTIATE request has the
549 * SMB2_FLAGS_SIGNED bit set in the Flags field, the server
550 * MUST fail the request with STATUS_INVALID_PARAMETER."
551 */
552 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
553 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
554 status = NT_STATUS_INVALID_PARAMETER;
555 goto errout;
556 }
557
558 /*
559 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
560 * "If the DialectCount of the SMB2 NEGOTIATE Request is 0, the
561 * server MUST fail the request with STATUS_INVALID_PARAMETER."
562 */
563 if (version_cnt == 0 ||
564 version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
565 status = NT_STATUS_INVALID_PARAMETER;
566 goto errout;
567 }
568
569 /*
570 * The client offers an array of protocol versions it
571 * supports, which we have decoded into cl_versions[].
572 * We walk the array and pick the highest supported.
573 *
574 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
575 * "If a common dialect is not found, the server MUST fail
576 * the request with STATUS_NOT_SUPPORTED."
577 */
578 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
579 if (best_version == 0) {
580 status = NT_STATUS_NOT_SUPPORTED;
581 goto errout;
582 }
583 if (best_version >= 0x311) {
584 if ((status = smb31_decode_neg_ctxs(sr, s)) != 0)
585 goto errout;
586 }
587
588 s->dialect = best_version;
589
590 /* Allow normal SMB2 requests now. */
591 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
592 s->newrq_func = smb2sr_newrq;
593
594 if (smb2_negotiate_common(sr, best_version) != 0)
595 status = NT_STATUS_INTERNAL_ERROR;
596
597 errout:
598 sr->smb2_status = status;
599 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
600
601 if (sr->smb2_status != 0)
602 smb2sr_put_error(sr, sr->smb2_status);
603 (void) smb2_encode_header(sr, B_TRUE);
604
605 if (s->dialect >= SMB_VERS_3_11) {
606 ASSERT3U(s->smb31_preauth_hashid, !=, 0);
607 (void) smb31_preauth_sha512_calc(sr, &sr->reply,
608 s->smb31_preauth_hashval);
609 }
610
611 smb2_send_reply(sr);
612
613 return (rc);
614 }
615
616 /*
617 * Common parts of SMB2 Negotiate, used for both the
618 * SMB1-to-SMB2 style, and straight SMB2 style.
619 * Do negotiation decisions and encode the reply.
620 * The caller does the network send.
621 *
622 * Return value is 0 for success, else error.
623 */
624 static int
625 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
626 {
627 timestruc_t boot_tv, now_tv;
628 smb_session_t *s = sr->session;
629 int rc;
630 uint32_t max_rwsize;
631 uint16_t secmode;
632 uint16_t neg_ctx_cnt = 0;
633 uint32_t neg_ctx_off = 0;
634
635 /*
636 * Negotiation itself. First the Security Mode.
637 */
638 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
639 if (sr->sr_cfg->skc_signing_required)
640 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
641 s->srv_secmode = secmode;
642
643 s->cmd_max_bytes = smb2_tcp_bufsize;
644 s->reply_max_bytes = smb2_tcp_bufsize;
645
646 /*
647 * "The number of credits held by the client MUST be considered
648 * as 1 when the connection is established." [MS-SMB2]
649 * We leave credits at 1 until the first successful
650 * session setup is completed.
651 */
652 s->s_cur_credits = s->s_max_credits = 1;
653 sr->smb2_credit_response = 1;
654
655 boot_tv.tv_sec = smb_get_boottime();
656 boot_tv.tv_nsec = 0;
657 now_tv.tv_sec = gethrestime_sec();
658 now_tv.tv_nsec = 0;
659
660 /*
661 * If the version is 0x2FF, we haven't completed negotiate.
662 * Don't initialize until we have our final request.
663 */
664 if (version != 0x2FF)
665 smb2_sign_init_mech(s);
666 if (version >= 0x311)
667 smb31_preauth_init_mech(s);
668
669 /*
670 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
671 *
672 * The SMB2.x capabilities are returned without regard for
673 * what capabilities the client provided in the request.
674 * The SMB3.x capabilities returned are the traditional
675 * logical AND of server and client capabilities.
676 *
677 * One additional check: If KCF is missing something we
678 * require for encryption, turn off that capability.
679 */
680 if (s->dialect < SMB_VERS_2_1) {
681 /* SMB 2.002 */
682 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
683 } else if (s->dialect < SMB_VERS_3_0) {
684 /* SMB 2.x */
685 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
686 } else {
687 /* SMB 3.0 or later */
688 s->srv_cap = smb2srv_capabilities &
689 (SMB_2X_CAPS | s->capabilities);
690 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
691 smb3_encrypt_init_mech(s) != 0) {
692 s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
693 s->smb31_enc_cipherid = 0;
694 }
695
696 if (s->dialect >= SMB_VERS_3_11) {
697 neg_ctx_cnt = s->smb31_enc_cipherid == 0 ? 1 : 2;
698 neg_ctx_off = SMB2_HDR_SIZE + 64 +
699 P2ROUNDUP(sr->sr_cfg->skc_negtok_len, 8);
700
701 ASSERT3U(s->smb31_preauth_hashid, !=, 0);
702 (void) smb31_preauth_sha512_calc(sr, &sr->command,
703 s->smb31_preauth_hashval);
704 }
705 }
706
707 /*
708 * See notes above smb2_max_rwsize, smb2_old_rwsize
709 */
710 if (s->capabilities & SMB2_CAP_LARGE_MTU)
711 max_rwsize = smb2_max_rwsize;
712 else
713 max_rwsize = smb2_old_rwsize;
714
715 rc = smb_mbc_encodef(
716 &sr->reply,
717 "wwww#cllllTTwwl#c",
718 65, /* StructSize */ /* w */
719 s->srv_secmode, /* w */
720 version, /* w */
721 neg_ctx_cnt, /* w */
722 UUID_LEN, /* # */
723 &s->s_cfg.skc_machine_uuid, /* c */
724 s->srv_cap, /* l */
725 smb2_max_trans, /* l */
726 max_rwsize, /* l */
727 max_rwsize, /* l */
728 &now_tv, /* T */
729 &boot_tv, /* T */
730 128, /* SecBufOff */ /* w */
731 sr->sr_cfg->skc_negtok_len, /* w */
732 neg_ctx_off, /* l */
733 sr->sr_cfg->skc_negtok_len, /* # */
734 sr->sr_cfg->skc_negtok); /* c */
735
736
737
738 if (neg_ctx_cnt) {
739 rc = smb31_encode_neg_ctxs(sr, s);
740 }
741
742 /* smb2_send_reply(sr); in caller */
743
744 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
745 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
746 sizeof (smb2_tcp_bufsize), CRED());
747 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
748 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
749 sizeof (smb2_tcp_bufsize), CRED());
750
751 return (rc);
752 }
753
754 /*
755 * SMB2 Dispatch table handler, which will run if we see an
756 * SMB2_NEGOTIATE after the initial negotiation is done.
757 * That would be a protocol error.
758 */
759 smb_sdrc_t
760 smb2_negotiate(smb_request_t *sr)
761 {
762 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
763 return (SDRC_ERROR);
764 }
765
766 /*
767 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
768 */
769 uint32_t
770 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl)
771 {
772 smb_session_t *s = sr->session;
773 int rc;
774
775 /*
776 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
777 * and verify that the original negotiate was not modified.
778 * The request MUST be signed, and we MUST validate the signature.
779 *
780 * One interesting requirement here is that we MUST reply
781 * with exactly the same information as we returned in our
782 * original reply to the SMB2 negotiate on this session.
783 * If we don't the client closes the connection.
784 */
785
786 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */
787 uint32_t capabilities;
788 uint16_t secmode, num_dialects, dialects[8];
789 uint8_t clnt_guid[16];
790
791 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0)
792 goto drop;
793
794 if (fsctl->InputCount < 24)
795 goto drop;
796
797 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww",
798 &capabilities, /* l */
799 &clnt_guid, /* 16c */
800 &secmode, /* w */
801 &num_dialects); /* w */
802
803 if (num_dialects == 0 || num_dialects > 8)
804 goto drop;
805 if (secmode != s->cli_secmode)
806 goto drop;
807 if (capabilities != s->capabilities)
808 goto drop;
809 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0)
810 goto drop;
811
812 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects)))
813 goto drop;
814
815 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects);
816 if (rc != 0)
817 goto drop;
818
819 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect)
820 goto drop;
821
822 rc = smb_mbc_encodef(
823 fsctl->out_mbc, "l#cww",
824 s->srv_cap, /* l */
825 UUID_LEN, /* # */
826 &s->s_cfg.skc_machine_uuid, /* c */
827 s->srv_secmode, /* w */
828 s->dialect); /* w */
829 if (rc == 0)
830 return (rc);
831
832 drop:
833 smb_session_disconnect(s);
834 return (NT_STATUS_ACCESS_DENIED);
835 }