1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 * Copyright 2019 RackTop Systems.
15 */
16
17 /*
18 * Dispatch function for SMB2_NEGOTIATE
19 */
20
21 #include <smbsrv/smb2_kproto.h>
22 #include <smbsrv/smb2.h>
23
24 /*
25 * Note from [MS-SMB2] Sec. 2.2.3: Windows servers return
26 * invalid parameter if the dialect count is greater than 64
27 * This is here (and not in smb2.h) because this is technically
28 * an implementation detail, not protocol specification.
29 */
30 #define SMB2_NEGOTIATE_MAX_DIALECTS 64
31
32 static int smb2_negotiate_common(smb_request_t *, uint16_t);
33
34 /* List of supported capabilities. Can be patched for testing. */
35 uint32_t smb2srv_capabilities =
36 SMB2_CAP_DFS |
37 SMB2_CAP_LEASING |
38 SMB2_CAP_LARGE_MTU |
39 SMB2_CAP_PERSISTENT_HANDLES |
40 SMB2_CAP_ENCRYPTION;
41
42 /* These are the only capabilities defined for SMB2.X */
68
69 /*
70 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
71 * (including all clients using dialect < SMB 2.1), use a "conservative" value
72 * for max r/w size because some older clients misbehave with larger values.
73 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
74 * Support) as the minimum so we'll use that.
75 */
76 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
77
78 /*
79 * List of all SMB2 versions we implement. Note that the
80 * versions we support may be limited by the
81 * _cfg.skc_max_protocol and min_protocol settings.
82 */
83 static uint16_t smb2_versions[] = {
84 0x202, /* SMB 2.002 */
85 0x210, /* SMB 2.1 */
86 0x300, /* SMB 3.0 */
87 0x302, /* SMB 3.02 */
88 };
89 static uint16_t smb2_nversions =
90 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
91
92 static boolean_t
93 smb2_supported_version(smb_session_t *s, uint16_t version)
94 {
95 int i;
96
97 if (version > s->s_cfg.skc_max_protocol ||
98 version < s->s_cfg.skc_min_protocol)
99 return (B_FALSE);
100 for (i = 0; i < smb2_nversions; i++)
101 if (version == smb2_versions[i])
102 return (B_TRUE);
103 return (B_FALSE);
104 }
105
106 /*
107 * Helper for the (SMB1) smb_com_negotiate(). This is the
193 return (best_version);
194 }
195
196 /*
197 * SMB2 Negotiate gets special handling. This is called directly by
198 * the reader thread (see smbsr_newrq_initial) with what _should_ be
199 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
200 * when this is called, so this needs to check the SMB command,
201 * if it's Negotiate execute it, then send the reply, etc.
202 *
203 * Since this is called directly from the reader thread, we
204 * know this is the only thread currently using this session.
205 * This has to duplicate some of what smb2sr_work does as a
206 * result of bypassing the normal dispatch mechanism.
207 *
208 * The caller always frees this request.
209 *
210 * Return value is 0 for success, and anything else will
211 * terminate the reader thread (drop the connection).
212 */
213 int
214 smb2_newrq_negotiate(smb_request_t *sr)
215 {
216 smb_session_t *s = sr->session;
217 int rc;
218 uint32_t status = 0;
219 uint16_t struct_size;
220 uint16_t best_version;
221 uint16_t version_cnt;
222 uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
223
224 sr->smb2_cmd_hdr = sr->command.chain_offset;
225 rc = smb2_decode_header(sr);
226 if (rc != 0)
227 return (rc);
228
229 if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
230 return (-1);
231
232 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
292 if (version_cnt == 0 ||
293 version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
294 status = NT_STATUS_INVALID_PARAMETER;
295 goto errout;
296 }
297
298 /*
299 * The client offers an array of protocol versions it
300 * supports, which we have decoded into cl_versions[].
301 * We walk the array and pick the highest supported.
302 *
303 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
304 * "If a common dialect is not found, the server MUST fail
305 * the request with STATUS_NOT_SUPPORTED."
306 */
307 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
308 if (best_version == 0) {
309 status = NT_STATUS_NOT_SUPPORTED;
310 goto errout;
311 }
312 s->dialect = best_version;
313
314 /* Allow normal SMB2 requests now. */
315 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
316 s->newrq_func = smb2sr_newrq;
317
318 if (smb2_negotiate_common(sr, best_version) != 0)
319 status = NT_STATUS_INTERNAL_ERROR;
320
321 errout:
322 sr->smb2_status = status;
323 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
324
325 if (sr->smb2_status != 0)
326 smb2sr_put_error(sr, sr->smb2_status);
327 (void) smb2_encode_header(sr, B_TRUE);
328
329 smb2_send_reply(sr);
330
331 return (rc);
332 }
333
334 /*
335 * Common parts of SMB2 Negotiate, used for both the
336 * SMB1-to-SMB2 style, and straight SMB2 style.
337 * Do negotiation decisions and encode the reply.
338 * The caller does the network send.
339 *
340 * Return value is 0 for success, else error.
341 */
342 static int
343 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
344 {
345 timestruc_t boot_tv, now_tv;
346 smb_session_t *s = sr->session;
347 int rc;
348 uint32_t max_rwsize;
349 uint16_t secmode;
350
351 /*
352 * Negotiation itself. First the Security Mode.
353 */
354 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
355 if (sr->sr_cfg->skc_signing_required)
356 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
357 s->srv_secmode = secmode;
358
359 s->cmd_max_bytes = smb2_tcp_bufsize;
360 s->reply_max_bytes = smb2_tcp_bufsize;
361
362 /*
363 * "The number of credits held by the client MUST be considered
364 * as 1 when the connection is established." [MS-SMB2]
365 * We leave credits at 1 until the first successful
366 * session setup is completed.
367 */
368 s->s_cur_credits = s->s_max_credits = 1;
369 sr->smb2_credit_response = 1;
370
371 boot_tv.tv_sec = smb_get_boottime();
372 boot_tv.tv_nsec = 0;
373 now_tv.tv_sec = gethrestime_sec();
374 now_tv.tv_nsec = 0;
375
376 /*
377 * If the version is 0x2FF, we haven't completed negotiate.
378 * Don't initialize until we have our final request.
379 */
380 if (version != 0x2FF)
381 smb2_sign_init_mech(s);
382
383 /*
384 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
385 *
386 * The SMB2.x capabilities are returned without regard for
387 * what capabilities the client provided in the request.
388 * The SMB3.x capabilities returned are the traditional
389 * logical AND of server and client capabilities.
390 *
391 * One additional check: If KCF is missing something we
392 * require for encryption, turn off that capability.
393 */
394 if (s->dialect < SMB_VERS_2_1) {
395 /* SMB 2.002 */
396 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
397 } else if (s->dialect < SMB_VERS_3_0) {
398 /* SMB 2.x */
399 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
400 } else {
401 /* SMB 3.0 or later */
402 s->srv_cap = smb2srv_capabilities &
403 (SMB_2X_CAPS | s->capabilities);
404 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
405 smb3_encrypt_init_mech(s) != 0) {
406 s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
407 }
408 }
409
410 /*
411 * See notes above smb2_max_rwsize, smb2_old_rwsize
412 */
413 if (s->capabilities & SMB2_CAP_LARGE_MTU)
414 max_rwsize = smb2_max_rwsize;
415 else
416 max_rwsize = smb2_old_rwsize;
417
418 rc = smb_mbc_encodef(
419 &sr->reply,
420 "wwww#cllllTTwwl#c",
421 65, /* StructSize */ /* w */
422 s->srv_secmode, /* w */
423 version, /* w */
424 0, /* reserved */ /* w */
425 UUID_LEN, /* # */
426 &s->s_cfg.skc_machine_uuid, /* c */
427 s->srv_cap, /* l */
428 smb2_max_trans, /* l */
429 max_rwsize, /* l */
430 max_rwsize, /* l */
431 &now_tv, /* T */
432 &boot_tv, /* T */
433 128, /* SecBufOff */ /* w */
434 sr->sr_cfg->skc_negtok_len, /* w */
435 0, /* reserved */ /* l */
436 sr->sr_cfg->skc_negtok_len, /* # */
437 sr->sr_cfg->skc_negtok); /* c */
438
439 /* smb2_send_reply(sr); in caller */
440
441 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
442 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
443 sizeof (smb2_tcp_bufsize), CRED());
444 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
445 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
446 sizeof (smb2_tcp_bufsize), CRED());
447
448 return (rc);
449 }
450
451 /*
452 * SMB2 Dispatch table handler, which will run if we see an
453 * SMB2_NEGOTIATE after the initial negotiation is done.
454 * That would be a protocol error.
455 */
456 smb_sdrc_t
457 smb2_negotiate(smb_request_t *sr)
|
1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 * Copyright 2020 RackTop Systems, Inc.
15 */
16
17 /*
18 * Dispatch function for SMB2_NEGOTIATE
19 */
20
21 #include <smbsrv/smb2_kproto.h>
22 #include <smbsrv/smb2.h>
23 #include <sys/random.h>
24
25 /*
26 * Note from [MS-SMB2] Sec. 2.2.3: Windows servers return
27 * invalid parameter if the dialect count is greater than 64
28 * This is here (and not in smb2.h) because this is technically
29 * an implementation detail, not protocol specification.
30 */
31 #define SMB2_NEGOTIATE_MAX_DIALECTS 64
32
33 static int smb2_negotiate_common(smb_request_t *, uint16_t);
34
35 /* List of supported capabilities. Can be patched for testing. */
36 uint32_t smb2srv_capabilities =
37 SMB2_CAP_DFS |
38 SMB2_CAP_LEASING |
39 SMB2_CAP_LARGE_MTU |
40 SMB2_CAP_PERSISTENT_HANDLES |
41 SMB2_CAP_ENCRYPTION;
42
43 /* These are the only capabilities defined for SMB2.X */
69
70 /*
71 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
72 * (including all clients using dialect < SMB 2.1), use a "conservative" value
73 * for max r/w size because some older clients misbehave with larger values.
74 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
75 * Support) as the minimum so we'll use that.
76 */
77 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
78
79 /*
80 * List of all SMB2 versions we implement. Note that the
81 * versions we support may be limited by the
82 * _cfg.skc_max_protocol and min_protocol settings.
83 */
84 static uint16_t smb2_versions[] = {
85 0x202, /* SMB 2.002 */
86 0x210, /* SMB 2.1 */
87 0x300, /* SMB 3.0 */
88 0x302, /* SMB 3.02 */
89 0x311, /* SMB 3.11 */
90 };
91 static uint16_t smb2_nversions =
92 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
93
94 static boolean_t
95 smb2_supported_version(smb_session_t *s, uint16_t version)
96 {
97 int i;
98
99 if (version > s->s_cfg.skc_max_protocol ||
100 version < s->s_cfg.skc_min_protocol)
101 return (B_FALSE);
102 for (i = 0; i < smb2_nversions; i++)
103 if (version == smb2_versions[i])
104 return (B_TRUE);
105 return (B_FALSE);
106 }
107
108 /*
109 * Helper for the (SMB1) smb_com_negotiate(). This is the
195 return (best_version);
196 }
197
198 /*
199 * SMB2 Negotiate gets special handling. This is called directly by
200 * the reader thread (see smbsr_newrq_initial) with what _should_ be
201 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
202 * when this is called, so this needs to check the SMB command,
203 * if it's Negotiate execute it, then send the reply, etc.
204 *
205 * Since this is called directly from the reader thread, we
206 * know this is the only thread currently using this session.
207 * This has to duplicate some of what smb2sr_work does as a
208 * result of bypassing the normal dispatch mechanism.
209 *
210 * The caller always frees this request.
211 *
212 * Return value is 0 for success, and anything else will
213 * terminate the reader thread (drop the connection).
214 */
215 typedef struct smb31_preauth_integrity_caps_ctx {
216 uint16_t hash_count;
217 uint16_t salt_len;
218 char *salt;
219 } smb31_preauth_integrity_caps_ctx_t;
220
221 typedef struct smb31_encryption_caps_ctx {
222 uint16_t cipher_count;
223 } smb31_encrypt_caps_ctx_t;
224
225 enum smb3_neg_ctx_type {
226 SMB31_PREAUTH_INTEGRITY_CAPS = 1,
227 SMB31_ENCRYPTION_CAPS = 2
228 };
229
230 typedef struct smb3_negotiate_context {
231 uint16_t type;
232 uint16_t datalen;
233 uint32_t _resrvd;
234 char data[];
235 } smb3_neg_ctx_t;
236
237 typedef struct smb3_negotiate_context_info {
238 uint32_t offset;
239 uint16_t count;
240 uint16_t _resrvd;
241 } smb3_neg_ctx_info_t;
242
243 #define NEG_CTX_INFO_OFFSET (SMB2_HDR_SIZE + 28)
244 #define STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP (0xC05D0000)
245
246 #define STATUS_PREAUTH_HASH_OVERLAP \
247 STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP
248
249 /*
250 * This function should be called only for dialect >= 0x311
251 * Negotiate context list should contain exactly one
252 * smb31_preauth_INTEGRITY_CAPS context.
253 * Otherwise STATUS_INVALID_PARAMETER.
254 * It should contain at least 1 hash algorith what server does support.
255 * Otehrwise STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP.
256 */
257 static uint32_t
258 smb31_decode_neg_ctxs(smb_request_t *sr, smb_session_t *s)
259 {
260 uint32_t status = 0;
261 int found_preauth_ctx = 0;
262 boolean_t preauth_sha512_enabled = B_FALSE;
263 boolean_t encrypt_ccm_enabled = B_FALSE;
264 boolean_t encrypt_gcm_enabled = B_FALSE;
265 uint16_t cipher = sr->sr_server->sv_cfg.skc_encrypt_cipher;
266 smb3_neg_ctx_info_t neg_ctx_info;
267 int cnt, i;
268 int rc;
269
270 sr->command.chain_offset = NEG_CTX_INFO_OFFSET;
271
272 rc = smb_mbc_decodef(&sr->command, "lw2.",
273 &neg_ctx_info.offset, /* l */
274 &neg_ctx_info.count); /* w */
275 if (rc != 0) {
276 status = NT_STATUS_INVALID_PARAMETER;
277 goto errout;
278 }
279
280 /*
281 * There should be exactly 1 SMB31_PREAUTH_INTEGRITY_CAPS negotiate ctx.
282 * SMB31_ENCRYPTION_CAPS is optional one.
283 */
284 cnt = neg_ctx_info.count;
285 if (cnt < 1) {
286 status = NT_STATUS_INVALID_PARAMETER;
287 goto errout;
288 }
289
290 sr->command.chain_offset = neg_ctx_info.offset;
291
292 /*
293 * Parse negotiate contexts.
294 */
295 for (i = 0; i < cnt; i++) {
296 smb3_neg_ctx_t neg_ctx;
297
298 sr->command.chain_offset =
299 P2ROUNDUP(sr->command.chain_offset, 8);
300
301 rc = smb_mbc_decodef(
302 &sr->command, "ww4.",
303 &neg_ctx.type, /* w */
304 &neg_ctx.datalen); /* w */
305 if (rc != 0) {
306 status = NT_STATUS_INVALID_PARAMETER;
307 goto errout;
308 }
309
310 if (neg_ctx.type == SMB31_PREAUTH_INTEGRITY_CAPS) {
311 smb31_preauth_integrity_caps_ctx_t pic_ctx;
312
313 if (found_preauth_ctx++ != 0) {
314 status = NT_STATUS_INVALID_PARAMETER;
315 goto errout;
316 }
317
318 rc = smb_mbc_decodef(
319 &sr->command, "ww",
320 &pic_ctx.hash_count, /* w */
321 &pic_ctx.salt_len); /* w */
322 if (rc != 0) {
323 status = NT_STATUS_INVALID_PARAMETER;
324 goto errout;
325 }
326
327 /*
328 * In SMB 0x311 there should be exactly 1 preauth
329 * negotiate context, and there should be exactly 1
330 * hash value in the list - SHA512.
331 */
332 if (pic_ctx.hash_count != 1) {
333 status = NT_STATUS_INVALID_PARAMETER;
334 goto errout;
335 }
336
337 for (int k = 0; k < pic_ctx.hash_count; k++) {
338 uint16_t hash_id;
339
340 rc = smb_mbc_decodef(
341 &sr->command, "w",
342 &hash_id); /* w */
343
344 switch (hash_id) {
345 case SMB3_HASH_SHA512:
346 preauth_sha512_enabled = B_TRUE;
347 break;
348 default:
349 ;
350 }
351 }
352
353 rc = smb_mbc_decodef(
354 &sr->command, "#.",
355 pic_ctx.salt_len);
356
357 } else if (neg_ctx.type == SMB31_ENCRYPTION_CAPS) {
358 smb31_encrypt_caps_ctx_t enc_ctx;
359
360 rc = smb_mbc_decodef(
361 &sr->command, "w",
362 &enc_ctx.cipher_count); /* w */
363 if (rc != 0) {
364 status = NT_STATUS_INVALID_PARAMETER;
365 goto errout;
366 }
367
368 for (int k = 0; k < enc_ctx.cipher_count; k++) {
369 uint16_t cipher_id;
370
371 rc = smb_mbc_decodef(
372 &sr->command, "w",
373 &cipher_id); /* w */
374
375 switch (cipher_id) {
376 case SMB3_CIPHER_AES128_CCM:
377 encrypt_ccm_enabled = B_TRUE;
378 break;
379 case SMB3_CIPHER_AES128_GCM:
380 encrypt_gcm_enabled = B_TRUE;
381 break;
382 default:
383 ;
384 }
385 }
386 } else {
387 /* Skip unsupported context */
388 ASSERT0(smb_mbc_decodef(
389 &sr->command, "#.",
390 neg_ctx.datalen));
391 }
392 }
393
394 /* Not found mandatory SMB31_PREAUTH_INTEGRITY_CAPS ctx */
395 if (!found_preauth_ctx)
396 status = NT_STATUS_INVALID_PARAMETER;
397
398 if (!preauth_sha512_enabled) {
399 status = STATUS_PREAUTH_HASH_OVERLAP;
400 goto errout;
401 }
402
403 s->smb31_preauth_hashid = SMB3_HASH_SHA512;
404
405 switch (cipher) {
406 case SMB3_CIPHER_AES128_GCM:
407 if (encrypt_gcm_enabled) {
408 s->smb31_enc_cipherid = cipher;
409 break;
410 }
411 /* FALLTHROUGH */
412 case SMB3_CIPHER_AES128_CCM:
413 if (encrypt_ccm_enabled) {
414 s->smb31_enc_cipherid = cipher;
415 break;
416 }
417 /* FALLTHROUGH */
418 default:
419 s->smb31_enc_cipherid = 0;
420 }
421
422 errout:
423 return (status);
424 }
425
426 #define SMB31_PREAUTH_CTX_SALT_LEN 32
427
428 static int
429 smb31_encode_neg_ctxs(smb_request_t *sr, smb_session_t *s)
430 {
431 uint8_t salt[SMB31_PREAUTH_CTX_SALT_LEN];
432 uint16_t salt_len = SMB31_PREAUTH_CTX_SALT_LEN;
433 uint32_t preauth_ctx_len = 6 + salt_len;
434 uint32_t enc_ctx_len = 4;
435 uint32_t neg_ctx_off = SMB2_HDR_SIZE + 64 +
436 P2ROUNDUP(sr->sr_cfg->skc_negtok_len, 8);
437 uint32_t rc;
438
439 sr->reply.chain_offset = P2ROUNDUP(sr->reply.chain_offset, 8);
440
441 ASSERT3S(neg_ctx_off, ==, sr->reply.chain_offset);
442
443 (void) random_get_pseudo_bytes(salt, sizeof (salt));
444
445 rc = smb_mbc_encodef(
446 &sr->reply, "ww4.",
447 SMB31_PREAUTH_INTEGRITY_CAPS,
448 preauth_ctx_len
449 /* 4. */); /* reserverd */
450
451 ASSERT0(rc);
452 rc = smb_mbc_encodef(
453 &sr->reply, "www#c",
454 1, /* hash algo count */
455 salt_len, /* salt length */
456 s->smb31_preauth_hashid, /* hash id */
457 salt_len, /* salt length */
458 salt);
459
460 /* aligned on 8-bytes boundary */
461 if (rc != 0 || s->smb31_enc_cipherid == 0) {
462 cmn_err(CE_NOTE, "Encryption is not supported");
463 return (rc);
464 }
465
466 if (sr->reply.chain_offset % 8 != 0) {
467 sr->reply.chain_offset = P2ROUNDUP(sr->reply.chain_offset, 8);
468 }
469
470 rc = smb_mbc_encodef(
471 &sr->reply, "ww4.",
472 SMB31_ENCRYPTION_CAPS,
473 enc_ctx_len
474 /* 4. */); /* reserverd */
475
476 rc = smb_mbc_encodef(
477 &sr->reply, "ww",
478 1, /* cipher count */
479 s->smb31_enc_cipherid); /* encrypt. cipher id */
480
481 return (rc);
482 }
483
484 int
485 smb2_newrq_negotiate(smb_request_t *sr)
486 {
487 smb_session_t *s = sr->session;
488 int rc;
489 uint32_t status = 0;
490 uint16_t struct_size;
491 uint16_t best_version;
492 uint16_t version_cnt;
493 uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
494
495 sr->smb2_cmd_hdr = sr->command.chain_offset;
496 rc = smb2_decode_header(sr);
497 if (rc != 0)
498 return (rc);
499
500 if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
501 return (-1);
502
503 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
563 if (version_cnt == 0 ||
564 version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
565 status = NT_STATUS_INVALID_PARAMETER;
566 goto errout;
567 }
568
569 /*
570 * The client offers an array of protocol versions it
571 * supports, which we have decoded into cl_versions[].
572 * We walk the array and pick the highest supported.
573 *
574 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
575 * "If a common dialect is not found, the server MUST fail
576 * the request with STATUS_NOT_SUPPORTED."
577 */
578 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
579 if (best_version == 0) {
580 status = NT_STATUS_NOT_SUPPORTED;
581 goto errout;
582 }
583 if (best_version >= 0x311) {
584 if ((status = smb31_decode_neg_ctxs(sr, s)) != 0)
585 goto errout;
586 }
587
588 s->dialect = best_version;
589
590 /* Allow normal SMB2 requests now. */
591 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
592 s->newrq_func = smb2sr_newrq;
593
594 if (smb2_negotiate_common(sr, best_version) != 0)
595 status = NT_STATUS_INTERNAL_ERROR;
596
597 errout:
598 sr->smb2_status = status;
599 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
600
601 if (sr->smb2_status != 0)
602 smb2sr_put_error(sr, sr->smb2_status);
603 (void) smb2_encode_header(sr, B_TRUE);
604
605 if (s->dialect >= SMB_VERS_3_11) {
606 ASSERT3U(s->smb31_preauth_hashid, !=, 0);
607 (void) smb31_preauth_sha512_calc(sr, &sr->reply,
608 s->smb31_preauth_hashval);
609 }
610
611 smb2_send_reply(sr);
612
613 return (rc);
614 }
615
616 /*
617 * Common parts of SMB2 Negotiate, used for both the
618 * SMB1-to-SMB2 style, and straight SMB2 style.
619 * Do negotiation decisions and encode the reply.
620 * The caller does the network send.
621 *
622 * Return value is 0 for success, else error.
623 */
624 static int
625 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
626 {
627 timestruc_t boot_tv, now_tv;
628 smb_session_t *s = sr->session;
629 int rc;
630 uint32_t max_rwsize;
631 uint16_t secmode;
632 uint16_t neg_ctx_cnt = 0;
633 uint32_t neg_ctx_off = 0;
634
635 /*
636 * Negotiation itself. First the Security Mode.
637 */
638 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
639 if (sr->sr_cfg->skc_signing_required)
640 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
641 s->srv_secmode = secmode;
642
643 s->cmd_max_bytes = smb2_tcp_bufsize;
644 s->reply_max_bytes = smb2_tcp_bufsize;
645
646 /*
647 * "The number of credits held by the client MUST be considered
648 * as 1 when the connection is established." [MS-SMB2]
649 * We leave credits at 1 until the first successful
650 * session setup is completed.
651 */
652 s->s_cur_credits = s->s_max_credits = 1;
653 sr->smb2_credit_response = 1;
654
655 boot_tv.tv_sec = smb_get_boottime();
656 boot_tv.tv_nsec = 0;
657 now_tv.tv_sec = gethrestime_sec();
658 now_tv.tv_nsec = 0;
659
660 /*
661 * If the version is 0x2FF, we haven't completed negotiate.
662 * Don't initialize until we have our final request.
663 */
664 if (version != 0x2FF)
665 smb2_sign_init_mech(s);
666 if (version >= 0x311)
667 smb31_preauth_init_mech(s);
668
669 /*
670 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
671 *
672 * The SMB2.x capabilities are returned without regard for
673 * what capabilities the client provided in the request.
674 * The SMB3.x capabilities returned are the traditional
675 * logical AND of server and client capabilities.
676 *
677 * One additional check: If KCF is missing something we
678 * require for encryption, turn off that capability.
679 */
680 if (s->dialect < SMB_VERS_2_1) {
681 /* SMB 2.002 */
682 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
683 } else if (s->dialect < SMB_VERS_3_0) {
684 /* SMB 2.x */
685 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
686 } else {
687 /* SMB 3.0 or later */
688 s->srv_cap = smb2srv_capabilities &
689 (SMB_2X_CAPS | s->capabilities);
690 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
691 smb3_encrypt_init_mech(s) != 0) {
692 s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
693 s->smb31_enc_cipherid = 0;
694 }
695
696 if (s->dialect >= SMB_VERS_3_11) {
697 neg_ctx_cnt = s->smb31_enc_cipherid == 0 ? 1 : 2;
698 neg_ctx_off = SMB2_HDR_SIZE + 64 +
699 P2ROUNDUP(sr->sr_cfg->skc_negtok_len, 8);
700
701 ASSERT3U(s->smb31_preauth_hashid, !=, 0);
702 (void) smb31_preauth_sha512_calc(sr, &sr->command,
703 s->smb31_preauth_hashval);
704 }
705 }
706
707 /*
708 * See notes above smb2_max_rwsize, smb2_old_rwsize
709 */
710 if (s->capabilities & SMB2_CAP_LARGE_MTU)
711 max_rwsize = smb2_max_rwsize;
712 else
713 max_rwsize = smb2_old_rwsize;
714
715 rc = smb_mbc_encodef(
716 &sr->reply,
717 "wwww#cllllTTwwl#c",
718 65, /* StructSize */ /* w */
719 s->srv_secmode, /* w */
720 version, /* w */
721 neg_ctx_cnt, /* w */
722 UUID_LEN, /* # */
723 &s->s_cfg.skc_machine_uuid, /* c */
724 s->srv_cap, /* l */
725 smb2_max_trans, /* l */
726 max_rwsize, /* l */
727 max_rwsize, /* l */
728 &now_tv, /* T */
729 &boot_tv, /* T */
730 128, /* SecBufOff */ /* w */
731 sr->sr_cfg->skc_negtok_len, /* w */
732 neg_ctx_off, /* l */
733 sr->sr_cfg->skc_negtok_len, /* # */
734 sr->sr_cfg->skc_negtok); /* c */
735
736
737
738 if (neg_ctx_cnt) {
739 rc = smb31_encode_neg_ctxs(sr, s);
740 }
741
742 /* smb2_send_reply(sr); in caller */
743
744 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
745 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
746 sizeof (smb2_tcp_bufsize), CRED());
747 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
748 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
749 sizeof (smb2_tcp_bufsize), CRED());
750
751 return (rc);
752 }
753
754 /*
755 * SMB2 Dispatch table handler, which will run if we see an
756 * SMB2_NEGOTIATE after the initial negotiation is done.
757 * That would be a protocol error.
758 */
759 smb_sdrc_t
760 smb2_negotiate(smb_request_t *sr)
|