Print this page
12513 SMB 3.1.1 support for server
   1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11 
  12 /*
  13  * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
  14  * Copyright 2019 RackTop Systems.
  15  */
  16 
  17 /*
  18  * Dispatch function for SMB2_NEGOTIATE
  19  */
  20 
  21 #include <smbsrv/smb2_kproto.h>
  22 #include <smbsrv/smb2.h>

  23 
  24 /*
  25  * Note from [MS-SMB2] Sec. 2.2.3:  Windows servers return
  26  * invalid parameter if the dialect count is greater than 64
  27  * This is here (and not in smb2.h) because this is technically
  28  * an implementation detail, not protocol specification.
  29  */
  30 #define SMB2_NEGOTIATE_MAX_DIALECTS     64
  31 
  32 static int smb2_negotiate_common(smb_request_t *, uint16_t);
  33 
  34 /* List of supported capabilities.  Can be patched for testing. */
  35 uint32_t smb2srv_capabilities =
  36         SMB2_CAP_DFS |
  37         SMB2_CAP_LEASING |
  38         SMB2_CAP_LARGE_MTU |
  39         SMB2_CAP_PERSISTENT_HANDLES |
  40         SMB2_CAP_ENCRYPTION;
  41 
  42 /* These are the only capabilities defined for SMB2.X */


  68 
  69 /*
  70  * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
  71  * (including all clients using dialect < SMB 2.1), use a "conservative" value
  72  * for max r/w size because some older clients misbehave with larger values.
  73  * 64KB is recommended in the [MS-SMB2] spec.  (3.3.5.3.1 SMB 2.1 or SMB 3.x
  74  * Support) as the minimum so we'll use that.
  75  */
  76 uint32_t smb2_old_rwsize = (1<<16);       /* 64KB */
  77 
  78 /*
  79  * List of all SMB2 versions we implement.  Note that the
  80  * versions we support may be limited by the
  81  * _cfg.skc_max_protocol and min_protocol settings.
  82  */
  83 static uint16_t smb2_versions[] = {
  84         0x202,  /* SMB 2.002 */
  85         0x210,  /* SMB 2.1 */
  86         0x300,  /* SMB 3.0 */
  87         0x302,  /* SMB 3.02 */

  88 };
  89 static uint16_t smb2_nversions =
  90     sizeof (smb2_versions) / sizeof (smb2_versions[0]);
  91 
  92 static boolean_t
  93 smb2_supported_version(smb_session_t *s, uint16_t version)
  94 {
  95         int i;
  96 
  97         if (version > s->s_cfg.skc_max_protocol ||
  98             version < s->s_cfg.skc_min_protocol)
  99                 return (B_FALSE);
 100         for (i = 0; i < smb2_nversions; i++)
 101                 if (version == smb2_versions[i])
 102                         return (B_TRUE);
 103         return (B_FALSE);
 104 }
 105 
 106 /*
 107  * Helper for the (SMB1) smb_com_negotiate().  This is the


 193         return (best_version);
 194 }
 195 
 196 /*
 197  * SMB2 Negotiate gets special handling.  This is called directly by
 198  * the reader thread (see smbsr_newrq_initial) with what _should_ be
 199  * an SMB2 Negotiate.  Only the "\feSMB" header has been checked
 200  * when this is called, so this needs to check the SMB command,
 201  * if it's Negotiate execute it, then send the reply, etc.
 202  *
 203  * Since this is called directly from the reader thread, we
 204  * know this is the only thread currently using this session.
 205  * This has to duplicate some of what smb2sr_work does as a
 206  * result of bypassing the normal dispatch mechanism.
 207  *
 208  * The caller always frees this request.
 209  *
 210  * Return value is 0 for success, and anything else will
 211  * terminate the reader thread (drop the connection).
 212  */













































































































































































































































































 213 int
 214 smb2_newrq_negotiate(smb_request_t *sr)
 215 {
 216         smb_session_t *s = sr->session;
 217         int rc;
 218         uint32_t status = 0;
 219         uint16_t struct_size;
 220         uint16_t best_version;
 221         uint16_t version_cnt;
 222         uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
 223 
 224         sr->smb2_cmd_hdr = sr->command.chain_offset;
 225         rc = smb2_decode_header(sr);
 226         if (rc != 0)
 227                 return (rc);
 228 
 229         if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
 230                 return (-1);
 231 
 232         if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||


 292         if (version_cnt == 0 ||
 293             version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
 294                 status = NT_STATUS_INVALID_PARAMETER;
 295                 goto errout;
 296         }
 297 
 298         /*
 299          * The client offers an array of protocol versions it
 300          * supports, which we have decoded into cl_versions[].
 301          * We walk the array and pick the highest supported.
 302          *
 303          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 304          * "If a common dialect is not found, the server MUST fail
 305          * the request with STATUS_NOT_SUPPORTED."
 306          */
 307         best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
 308         if (best_version == 0) {
 309                 status = NT_STATUS_NOT_SUPPORTED;
 310                 goto errout;
 311         }





 312         s->dialect = best_version;
 313 
 314         /* Allow normal SMB2 requests now. */
 315         s->s_state = SMB_SESSION_STATE_NEGOTIATED;
 316         s->newrq_func = smb2sr_newrq;
 317 
 318         if (smb2_negotiate_common(sr, best_version) != 0)
 319                 status = NT_STATUS_INTERNAL_ERROR;
 320 
 321 errout:
 322         sr->smb2_status = status;
 323         DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
 324 
 325         if (sr->smb2_status != 0)
 326                 smb2sr_put_error(sr, sr->smb2_status);
 327         (void) smb2_encode_header(sr, B_TRUE);
 328 






 329         smb2_send_reply(sr);
 330 
 331         return (rc);
 332 }
 333 
 334 /*
 335  * Common parts of SMB2 Negotiate, used for both the
 336  * SMB1-to-SMB2 style, and straight SMB2 style.
 337  * Do negotiation decisions and encode the reply.
 338  * The caller does the network send.
 339  *
 340  * Return value is 0 for success, else error.
 341  */
 342 static int
 343 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
 344 {
 345         timestruc_t boot_tv, now_tv;
 346         smb_session_t *s = sr->session;
 347         int rc;
 348         uint32_t max_rwsize;
 349         uint16_t secmode;


 350 
 351         /*
 352          * Negotiation itself.  First the Security Mode.
 353          */
 354         secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 355         if (sr->sr_cfg->skc_signing_required)
 356                 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 357         s->srv_secmode = secmode;
 358 
 359         s->cmd_max_bytes = smb2_tcp_bufsize;
 360         s->reply_max_bytes = smb2_tcp_bufsize;
 361 
 362         /*
 363          * "The number of credits held by the client MUST be considered
 364          * as 1 when the connection is established." [MS-SMB2]
 365          * We leave credits at 1 until the first successful
 366          * session setup is completed.
 367          */
 368         s->s_cur_credits = s->s_max_credits = 1;
 369         sr->smb2_credit_response = 1;
 370 
 371         boot_tv.tv_sec = smb_get_boottime();
 372         boot_tv.tv_nsec = 0;
 373         now_tv.tv_sec = gethrestime_sec();
 374         now_tv.tv_nsec = 0;
 375 
 376         /*
 377          * If the version is 0x2FF, we haven't completed negotiate.
 378          * Don't initialize until we have our final request.
 379          */
 380         if (version != 0x2FF)
 381                 smb2_sign_init_mech(s);


 382 
 383         /*
 384          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 385          *
 386          * The SMB2.x capabilities are returned without regard for
 387          * what capabilities the client provided in the request.
 388          * The SMB3.x capabilities returned are the traditional
 389          * logical AND of server and client capabilities.
 390          *
 391          * One additional check: If KCF is missing something we
 392          * require for encryption, turn off that capability.
 393          */
 394         if (s->dialect < SMB_VERS_2_1) {
 395                 /* SMB 2.002 */
 396                 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
 397         } else if (s->dialect < SMB_VERS_3_0) {
 398                 /* SMB 2.x */
 399                 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
 400         } else {
 401                 /* SMB 3.0 or later */
 402                 s->srv_cap = smb2srv_capabilities &
 403                     (SMB_2X_CAPS | s->capabilities);
 404                 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
 405                     smb3_encrypt_init_mech(s) != 0) {
 406                         s->srv_cap &= ~SMB2_CAP_ENCRYPTION;











 407                 }
 408         }
 409 
 410         /*
 411          * See notes above smb2_max_rwsize, smb2_old_rwsize
 412          */
 413         if (s->capabilities & SMB2_CAP_LARGE_MTU)
 414                 max_rwsize = smb2_max_rwsize;
 415         else
 416                 max_rwsize = smb2_old_rwsize;
 417 
 418         rc = smb_mbc_encodef(
 419             &sr->reply,
 420             "wwww#cllllTTwwl#c",
 421             65, /* StructSize */        /* w */
 422             s->srv_secmode,          /* w */
 423             version,                    /* w */
 424             0, /* reserved */           /* w */
 425             UUID_LEN,                   /* # */
 426             &s->s_cfg.skc_machine_uuid, /* c */
 427             s->srv_cap,                      /* l */
 428             smb2_max_trans,             /* l */
 429             max_rwsize,                 /* l */
 430             max_rwsize,                 /* l */
 431             &now_tv,                        /* T */
 432             &boot_tv,                       /* T */
 433             128, /* SecBufOff */        /* w */
 434             sr->sr_cfg->skc_negtok_len,   /* w */
 435             0,  /* reserved */          /* l */
 436             sr->sr_cfg->skc_negtok_len,   /* # */
 437             sr->sr_cfg->skc_negtok);      /* c */






 438 
 439         /* smb2_send_reply(sr); in caller */
 440 
 441         (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
 442             SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
 443             sizeof (smb2_tcp_bufsize), CRED());
 444         (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
 445             SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
 446             sizeof (smb2_tcp_bufsize), CRED());
 447 
 448         return (rc);
 449 }
 450 
 451 /*
 452  * SMB2 Dispatch table handler, which will run if we see an
 453  * SMB2_NEGOTIATE after the initial negotiation is done.
 454  * That would be a protocol error.
 455  */
 456 smb_sdrc_t
 457 smb2_negotiate(smb_request_t *sr)


   1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11 
  12 /*
  13  * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
  14  * Copyright 2020 RackTop Systems, Inc.
  15  */
  16 
  17 /*
  18  * Dispatch function for SMB2_NEGOTIATE
  19  */
  20 
  21 #include <smbsrv/smb2_kproto.h>
  22 #include <smbsrv/smb2.h>
  23 #include <sys/random.h>
  24 
  25 /*
  26  * Note from [MS-SMB2] Sec. 2.2.3:  Windows servers return
  27  * invalid parameter if the dialect count is greater than 64
  28  * This is here (and not in smb2.h) because this is technically
  29  * an implementation detail, not protocol specification.
  30  */
  31 #define SMB2_NEGOTIATE_MAX_DIALECTS     64
  32 
  33 static int smb2_negotiate_common(smb_request_t *, uint16_t);
  34 
  35 /* List of supported capabilities.  Can be patched for testing. */
  36 uint32_t smb2srv_capabilities =
  37         SMB2_CAP_DFS |
  38         SMB2_CAP_LEASING |
  39         SMB2_CAP_LARGE_MTU |
  40         SMB2_CAP_PERSISTENT_HANDLES |
  41         SMB2_CAP_ENCRYPTION;
  42 
  43 /* These are the only capabilities defined for SMB2.X */


  69 
  70 /*
  71  * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
  72  * (including all clients using dialect < SMB 2.1), use a "conservative" value
  73  * for max r/w size because some older clients misbehave with larger values.
  74  * 64KB is recommended in the [MS-SMB2] spec.  (3.3.5.3.1 SMB 2.1 or SMB 3.x
  75  * Support) as the minimum so we'll use that.
  76  */
  77 uint32_t smb2_old_rwsize = (1<<16);       /* 64KB */
  78 
  79 /*
  80  * List of all SMB2 versions we implement.  Note that the
  81  * versions we support may be limited by the
  82  * _cfg.skc_max_protocol and min_protocol settings.
  83  */
  84 static uint16_t smb2_versions[] = {
  85         0x202,  /* SMB 2.002 */
  86         0x210,  /* SMB 2.1 */
  87         0x300,  /* SMB 3.0 */
  88         0x302,  /* SMB 3.02 */
  89         0x311,  /* SMB 3.11 */
  90 };
  91 static uint16_t smb2_nversions =
  92     sizeof (smb2_versions) / sizeof (smb2_versions[0]);
  93 
  94 static boolean_t
  95 smb2_supported_version(smb_session_t *s, uint16_t version)
  96 {
  97         int i;
  98 
  99         if (version > s->s_cfg.skc_max_protocol ||
 100             version < s->s_cfg.skc_min_protocol)
 101                 return (B_FALSE);
 102         for (i = 0; i < smb2_nversions; i++)
 103                 if (version == smb2_versions[i])
 104                         return (B_TRUE);
 105         return (B_FALSE);
 106 }
 107 
 108 /*
 109  * Helper for the (SMB1) smb_com_negotiate().  This is the


 195         return (best_version);
 196 }
 197 
 198 /*
 199  * SMB2 Negotiate gets special handling.  This is called directly by
 200  * the reader thread (see smbsr_newrq_initial) with what _should_ be
 201  * an SMB2 Negotiate.  Only the "\feSMB" header has been checked
 202  * when this is called, so this needs to check the SMB command,
 203  * if it's Negotiate execute it, then send the reply, etc.
 204  *
 205  * Since this is called directly from the reader thread, we
 206  * know this is the only thread currently using this session.
 207  * This has to duplicate some of what smb2sr_work does as a
 208  * result of bypassing the normal dispatch mechanism.
 209  *
 210  * The caller always frees this request.
 211  *
 212  * Return value is 0 for success, and anything else will
 213  * terminate the reader thread (drop the connection).
 214  */
 215 typedef struct smb31_preauth_integrity_caps_ctx {
 216         uint16_t        hash_count;
 217         uint16_t        salt_len;
 218         char            *salt;
 219 } smb31_preauth_integrity_caps_ctx_t;
 220 
 221 typedef struct smb31_encryption_caps_ctx {
 222         uint16_t        cipher_count;
 223 } smb31_encrypt_caps_ctx_t;
 224 
 225 enum smb3_neg_ctx_type {
 226         SMB31_PREAUTH_INTEGRITY_CAPS = 1,
 227         SMB31_ENCRYPTION_CAPS = 2
 228 };
 229 
 230 typedef struct smb3_negotiate_context {
 231         uint16_t        type;
 232         uint16_t        datalen;
 233         uint32_t        _resrvd;
 234         char            data[];
 235 } smb3_neg_ctx_t;
 236 
 237 typedef struct smb3_negotiate_context_info {
 238         uint32_t        offset;
 239         uint16_t        count;
 240         uint16_t        _resrvd;
 241 } smb3_neg_ctx_info_t;
 242 
 243 #define NEG_CTX_INFO_OFFSET     (SMB2_HDR_SIZE + 28)
 244 #define STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP     (0xC05D0000)
 245 
 246 #define STATUS_PREAUTH_HASH_OVERLAP \
 247     STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP
 248 
 249 /*
 250  * This function should be called only for dialect >= 0x311
 251  * Negotiate context list should contain exactly one
 252  * smb31_preauth_INTEGRITY_CAPS context.
 253  * Otherwise STATUS_INVALID_PARAMETER.
 254  * It should contain at least 1 hash algorith what server does support.
 255  * Otehrwise STATUS_SMB_NO_PREAUTH_INEGRITY_HASH_OVERLAP.
 256  */
 257 static uint32_t
 258 smb31_decode_neg_ctxs(smb_request_t *sr, smb_session_t *s)
 259 {
 260         uint32_t status = 0;
 261         int found_preauth_ctx = 0;
 262         boolean_t preauth_sha512_enabled = B_FALSE;
 263         boolean_t encrypt_ccm_enabled = B_FALSE;
 264         boolean_t encrypt_gcm_enabled = B_FALSE;
 265         uint16_t cipher = sr->sr_server->sv_cfg.skc_encrypt_cipher;
 266         smb3_neg_ctx_info_t     neg_ctx_info;
 267         int cnt, i;
 268         int rc;
 269 
 270         sr->command.chain_offset = NEG_CTX_INFO_OFFSET;
 271 
 272         rc = smb_mbc_decodef(&sr->command, "lw2.",
 273             &neg_ctx_info.offset,   /* l */
 274             &neg_ctx_info.count);   /* w */
 275         if (rc != 0) {
 276                 status = NT_STATUS_INVALID_PARAMETER;
 277                 goto errout;
 278         }
 279 
 280         /*
 281          * There should be exactly 1 SMB31_PREAUTH_INTEGRITY_CAPS negotiate ctx.
 282          * SMB31_ENCRYPTION_CAPS is optional one.
 283          */
 284         cnt = neg_ctx_info.count;
 285         if (cnt < 1) {
 286                 status = NT_STATUS_INVALID_PARAMETER;
 287                 goto errout;
 288         }
 289 
 290         sr->command.chain_offset = neg_ctx_info.offset;
 291 
 292         /*
 293          * Parse negotiate contexts.
 294          */
 295         for (i = 0; i < cnt; i++) {
 296                 smb3_neg_ctx_t neg_ctx;
 297 
 298                 sr->command.chain_offset =
 299                     P2ROUNDUP(sr->command.chain_offset, 8);
 300 
 301                 rc = smb_mbc_decodef(
 302                     &sr->command, "ww4.",
 303                     &neg_ctx.type,  /* w */
 304                     &neg_ctx.datalen);      /* w */
 305                 if (rc != 0) {
 306                         status = NT_STATUS_INVALID_PARAMETER;
 307                         goto errout;
 308                 }
 309 
 310                 if (neg_ctx.type == SMB31_PREAUTH_INTEGRITY_CAPS) {
 311                         smb31_preauth_integrity_caps_ctx_t pic_ctx;
 312 
 313                         if (found_preauth_ctx++ != 0) {
 314                                 status = NT_STATUS_INVALID_PARAMETER;
 315                                 goto errout;
 316                         }
 317 
 318                         rc = smb_mbc_decodef(
 319                             &sr->command, "ww",
 320                             &pic_ctx.hash_count,    /* w */
 321                             &pic_ctx.salt_len);             /* w */
 322                         if (rc != 0) {
 323                                 status = NT_STATUS_INVALID_PARAMETER;
 324                                 goto errout;
 325                         }
 326 
 327                         /*
 328                          * In SMB 0x311 there should be exactly 1 preauth
 329                          * negotiate context, and there should be exactly 1
 330                          * hash value in the list - SHA512.
 331                          */
 332                         if (pic_ctx.hash_count != 1) {
 333                                 status = NT_STATUS_INVALID_PARAMETER;
 334                                 goto errout;
 335                         }
 336 
 337                         for (int k = 0; k < pic_ctx.hash_count; k++) {
 338                                 uint16_t hash_id;
 339 
 340                                 rc = smb_mbc_decodef(
 341                                     &sr->command, "w",
 342                                     &hash_id);        /* w */
 343 
 344                                 switch (hash_id) {
 345                                 case SMB3_HASH_SHA512:
 346                                         preauth_sha512_enabled = B_TRUE;
 347                                         break;
 348                                 default:
 349                                         ;
 350                                 }
 351                         }
 352 
 353                         rc = smb_mbc_decodef(
 354                             &sr->command, "#.",
 355                             pic_ctx.salt_len);
 356 
 357                 } else if (neg_ctx.type == SMB31_ENCRYPTION_CAPS) {
 358                         smb31_encrypt_caps_ctx_t enc_ctx;
 359 
 360                         rc = smb_mbc_decodef(
 361                             &sr->command, "w",
 362                             &enc_ctx.cipher_count); /* w */
 363                         if (rc != 0) {
 364                                 status = NT_STATUS_INVALID_PARAMETER;
 365                                 goto errout;
 366                         }
 367 
 368                         for (int k = 0; k < enc_ctx.cipher_count; k++) {
 369                                 uint16_t cipher_id;
 370 
 371                                 rc = smb_mbc_decodef(
 372                                     &sr->command, "w",
 373                                     &cipher_id);    /* w */
 374 
 375                                 switch (cipher_id) {
 376                                 case SMB3_CIPHER_AES128_CCM:
 377                                         encrypt_ccm_enabled = B_TRUE;
 378                                         break;
 379                                 case SMB3_CIPHER_AES128_GCM:
 380                                         encrypt_gcm_enabled = B_TRUE;
 381                                         break;
 382                                 default:
 383                                         ;
 384                                 }
 385                         }
 386                 } else {
 387                         /* Skip unsupported context */
 388                         ASSERT0(smb_mbc_decodef(
 389                             &sr->command, "#.",
 390                             neg_ctx.datalen));
 391                 }
 392         }
 393 
 394         /* Not found mandatory SMB31_PREAUTH_INTEGRITY_CAPS ctx */
 395         if (!found_preauth_ctx)
 396                 status = NT_STATUS_INVALID_PARAMETER;
 397 
 398         if (!preauth_sha512_enabled) {
 399                 status = STATUS_PREAUTH_HASH_OVERLAP;
 400                 goto errout;
 401         }
 402 
 403         s->smb31_preauth_hashid = SMB3_HASH_SHA512;
 404 
 405         switch (cipher) {
 406         case SMB3_CIPHER_AES128_GCM:
 407                 if (encrypt_gcm_enabled) {
 408                         s->smb31_enc_cipherid = cipher;
 409                         break;
 410                 }
 411                 /* FALLTHROUGH */
 412         case SMB3_CIPHER_AES128_CCM:
 413                 if (encrypt_ccm_enabled) {
 414                         s->smb31_enc_cipherid = cipher;
 415                         break;
 416                 }
 417                 /* FALLTHROUGH */
 418         default:
 419                 s->smb31_enc_cipherid = 0;
 420         }
 421 
 422 errout:
 423         return (status);
 424 }
 425 
 426 #define SMB31_PREAUTH_CTX_SALT_LEN      32
 427 
 428 static int
 429 smb31_encode_neg_ctxs(smb_request_t *sr, smb_session_t *s)
 430 {
 431         uint8_t salt[SMB31_PREAUTH_CTX_SALT_LEN];
 432         uint16_t salt_len = SMB31_PREAUTH_CTX_SALT_LEN;
 433         uint32_t preauth_ctx_len = 6 + salt_len;
 434         uint32_t enc_ctx_len = 4;
 435         uint32_t neg_ctx_off = SMB2_HDR_SIZE + 64 +
 436             P2ROUNDUP(sr->sr_cfg->skc_negtok_len, 8);
 437         uint32_t rc;
 438 
 439         sr->reply.chain_offset = P2ROUNDUP(sr->reply.chain_offset, 8);
 440 
 441         ASSERT3S(neg_ctx_off, ==, sr->reply.chain_offset);
 442 
 443         (void) random_get_pseudo_bytes(salt, sizeof (salt));
 444 
 445         rc = smb_mbc_encodef(
 446             &sr->reply, "ww4.",
 447             SMB31_PREAUTH_INTEGRITY_CAPS,
 448             preauth_ctx_len
 449             /* 4. */); /* reserverd */
 450 
 451         ASSERT0(rc);
 452         rc = smb_mbc_encodef(
 453             &sr->reply, "www#c",
 454             1,                          /* hash algo count */
 455             salt_len,                   /* salt length */
 456             s->smb31_preauth_hashid, /* hash id */
 457             salt_len,                   /* salt length */
 458             salt);
 459 
 460         /* aligned on 8-bytes boundary */
 461         if (rc != 0 || s->smb31_enc_cipherid == 0) {
 462                 cmn_err(CE_NOTE, "Encryption is not supported");
 463                 return (rc);
 464         }
 465 
 466         if (sr->reply.chain_offset % 8 != 0) {
 467                 sr->reply.chain_offset = P2ROUNDUP(sr->reply.chain_offset, 8);
 468         }
 469 
 470         rc = smb_mbc_encodef(
 471             &sr->reply, "ww4.",
 472             SMB31_ENCRYPTION_CAPS,
 473             enc_ctx_len
 474             /* 4. */); /* reserverd */
 475 
 476         rc = smb_mbc_encodef(
 477             &sr->reply, "ww",
 478             1,                          /* cipher count */
 479             s->smb31_enc_cipherid);  /* encrypt. cipher id */
 480 
 481         return (rc);
 482 }
 483 
 484 int
 485 smb2_newrq_negotiate(smb_request_t *sr)
 486 {
 487         smb_session_t *s = sr->session;
 488         int rc;
 489         uint32_t status = 0;
 490         uint16_t struct_size;
 491         uint16_t best_version;
 492         uint16_t version_cnt;
 493         uint16_t cl_versions[SMB2_NEGOTIATE_MAX_DIALECTS];
 494 
 495         sr->smb2_cmd_hdr = sr->command.chain_offset;
 496         rc = smb2_decode_header(sr);
 497         if (rc != 0)
 498                 return (rc);
 499 
 500         if (sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR)
 501                 return (-1);
 502 
 503         if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||


 563         if (version_cnt == 0 ||
 564             version_cnt > SMB2_NEGOTIATE_MAX_DIALECTS) {
 565                 status = NT_STATUS_INVALID_PARAMETER;
 566                 goto errout;
 567         }
 568 
 569         /*
 570          * The client offers an array of protocol versions it
 571          * supports, which we have decoded into cl_versions[].
 572          * We walk the array and pick the highest supported.
 573          *
 574          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 575          * "If a common dialect is not found, the server MUST fail
 576          * the request with STATUS_NOT_SUPPORTED."
 577          */
 578         best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
 579         if (best_version == 0) {
 580                 status = NT_STATUS_NOT_SUPPORTED;
 581                 goto errout;
 582         }
 583         if (best_version >= 0x311) {
 584                 if ((status = smb31_decode_neg_ctxs(sr, s)) != 0)
 585                         goto errout;
 586         }
 587 
 588         s->dialect = best_version;
 589 
 590         /* Allow normal SMB2 requests now. */
 591         s->s_state = SMB_SESSION_STATE_NEGOTIATED;
 592         s->newrq_func = smb2sr_newrq;
 593 
 594         if (smb2_negotiate_common(sr, best_version) != 0)
 595                 status = NT_STATUS_INTERNAL_ERROR;
 596 
 597 errout:
 598         sr->smb2_status = status;
 599         DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
 600 
 601         if (sr->smb2_status != 0)
 602                 smb2sr_put_error(sr, sr->smb2_status);
 603         (void) smb2_encode_header(sr, B_TRUE);
 604 
 605         if (s->dialect >= SMB_VERS_3_11) {
 606                 ASSERT3U(s->smb31_preauth_hashid, !=, 0);
 607                 (void) smb31_preauth_sha512_calc(sr, &sr->reply,
 608                     s->smb31_preauth_hashval);
 609         }
 610 
 611         smb2_send_reply(sr);
 612 
 613         return (rc);
 614 }
 615 
 616 /*
 617  * Common parts of SMB2 Negotiate, used for both the
 618  * SMB1-to-SMB2 style, and straight SMB2 style.
 619  * Do negotiation decisions and encode the reply.
 620  * The caller does the network send.
 621  *
 622  * Return value is 0 for success, else error.
 623  */
 624 static int
 625 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
 626 {
 627         timestruc_t boot_tv, now_tv;
 628         smb_session_t *s = sr->session;
 629         int rc;
 630         uint32_t max_rwsize;
 631         uint16_t secmode;
 632         uint16_t neg_ctx_cnt = 0;
 633         uint32_t neg_ctx_off = 0;
 634 
 635         /*
 636          * Negotiation itself.  First the Security Mode.
 637          */
 638         secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 639         if (sr->sr_cfg->skc_signing_required)
 640                 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 641         s->srv_secmode = secmode;
 642 
 643         s->cmd_max_bytes = smb2_tcp_bufsize;
 644         s->reply_max_bytes = smb2_tcp_bufsize;
 645 
 646         /*
 647          * "The number of credits held by the client MUST be considered
 648          * as 1 when the connection is established." [MS-SMB2]
 649          * We leave credits at 1 until the first successful
 650          * session setup is completed.
 651          */
 652         s->s_cur_credits = s->s_max_credits = 1;
 653         sr->smb2_credit_response = 1;
 654 
 655         boot_tv.tv_sec = smb_get_boottime();
 656         boot_tv.tv_nsec = 0;
 657         now_tv.tv_sec = gethrestime_sec();
 658         now_tv.tv_nsec = 0;
 659 
 660         /*
 661          * If the version is 0x2FF, we haven't completed negotiate.
 662          * Don't initialize until we have our final request.
 663          */
 664         if (version != 0x2FF)
 665                 smb2_sign_init_mech(s);
 666         if (version >= 0x311)
 667                 smb31_preauth_init_mech(s);
 668 
 669         /*
 670          * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
 671          *
 672          * The SMB2.x capabilities are returned without regard for
 673          * what capabilities the client provided in the request.
 674          * The SMB3.x capabilities returned are the traditional
 675          * logical AND of server and client capabilities.
 676          *
 677          * One additional check: If KCF is missing something we
 678          * require for encryption, turn off that capability.
 679          */
 680         if (s->dialect < SMB_VERS_2_1) {
 681                 /* SMB 2.002 */
 682                 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS;
 683         } else if (s->dialect < SMB_VERS_3_0) {
 684                 /* SMB 2.x */
 685                 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
 686         } else {
 687                 /* SMB 3.0 or later */
 688                 s->srv_cap = smb2srv_capabilities &
 689                     (SMB_2X_CAPS | s->capabilities);
 690                 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
 691                     smb3_encrypt_init_mech(s) != 0) {
 692                         s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
 693                         s->smb31_enc_cipherid = 0;
 694                 }
 695 
 696                 if (s->dialect >= SMB_VERS_3_11) {
 697                         neg_ctx_cnt = s->smb31_enc_cipherid == 0 ? 1 : 2;
 698                         neg_ctx_off = SMB2_HDR_SIZE + 64 +
 699                             P2ROUNDUP(sr->sr_cfg->skc_negtok_len, 8);
 700 
 701                         ASSERT3U(s->smb31_preauth_hashid, !=, 0);
 702                         (void) smb31_preauth_sha512_calc(sr, &sr->command,
 703                             s->smb31_preauth_hashval);
 704                 }
 705         }
 706 
 707         /*
 708          * See notes above smb2_max_rwsize, smb2_old_rwsize
 709          */
 710         if (s->capabilities & SMB2_CAP_LARGE_MTU)
 711                 max_rwsize = smb2_max_rwsize;
 712         else
 713                 max_rwsize = smb2_old_rwsize;
 714 
 715         rc = smb_mbc_encodef(
 716             &sr->reply,
 717             "wwww#cllllTTwwl#c",
 718             65, /* StructSize */        /* w */
 719             s->srv_secmode,          /* w */
 720             version,                    /* w */
 721             neg_ctx_cnt,                /* w */
 722             UUID_LEN,                   /* # */
 723             &s->s_cfg.skc_machine_uuid, /* c */
 724             s->srv_cap,                      /* l */
 725             smb2_max_trans,             /* l */
 726             max_rwsize,                 /* l */
 727             max_rwsize,                 /* l */
 728             &now_tv,                        /* T */
 729             &boot_tv,                       /* T */
 730             128, /* SecBufOff */        /* w */
 731             sr->sr_cfg->skc_negtok_len,   /* w */
 732             neg_ctx_off,                /* l */
 733             sr->sr_cfg->skc_negtok_len,   /* # */
 734             sr->sr_cfg->skc_negtok);      /* c */
 735 
 736 
 737 
 738         if (neg_ctx_cnt) {
 739                 rc = smb31_encode_neg_ctxs(sr, s);
 740         }
 741 
 742         /* smb2_send_reply(sr); in caller */
 743 
 744         (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
 745             SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
 746             sizeof (smb2_tcp_bufsize), CRED());
 747         (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
 748             SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
 749             sizeof (smb2_tcp_bufsize), CRED());
 750 
 751         return (rc);
 752 }
 753 
 754 /*
 755  * SMB2 Dispatch table handler, which will run if we see an
 756  * SMB2_NEGOTIATE after the initial negotiation is done.
 757  * That would be a protocol error.
 758  */
 759 smb_sdrc_t
 760 smb2_negotiate(smb_request_t *sr)