1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25 
  26 #include <sys/atomic.h>
  27 #include <sys/synch.h>
  28 #include <sys/types.h>
  29 #include <sys/sdt.h>
  30 #include <sys/random.h>
  31 #include <smbsrv/netbios.h>
  32 #include <smbsrv/smb2_kproto.h>
  33 #include <smbsrv/string.h>
  34 #include <netinet/tcp.h>
  35 
  36 /* How many iovec we'll handle as a local array (no allocation) */
  37 #define SMB_LOCAL_IOV_MAX       16
  38 
  39 #define SMB_NEW_KID()   atomic_inc_64_nv(&smb_kids)
  40 
  41 static volatile uint64_t smb_kids;
  42 
  43 /*
  44  * We track the keepalive in minutes, but this constant
  45  * specifies it in seconds, so convert to minutes.
  46  */
  47 uint32_t smb_keep_alive = SMB_PI_KEEP_ALIVE_MIN / 60;
  48 
  49 /*
  50  * This is the maximum time we'll allow a "session" to exist with no
  51  * authenticated smb_user_t objects on it.  This allows a client to
  52  * logoff their "one and only" user session and then logon as some
  53  * different user.  (There are some tests that do that.)  The same
  54  * timeout mechanism also reduces the impact of clients that might
  55  * open TCP connections but never authenticate.
  56  */
  57 int smb_session_auth_tmo = 30; /* sec. */
  58 
  59 /*
  60  * There are many smbtorture test cases that send
  61  * racing requests, and where the tests fail if we
  62  * don't execute them in exactly the order sent.
  63  * These are test bugs.  The protocol makes no
  64  * guarantees about execution order of requests
  65  * that are concurrently active.
  66  *
  67  * Nonetheless, smbtorture has many useful tests,
  68  * so we have this work-around we can enable to
  69  * basically force sequential execution.  When
  70  * enabled, insert a delay after each request is
  71  * issued a taskq job.  Enable this with mdb by
  72  * setting smb_reader_delay to 10.  Don't make it
  73  * more than 500 or so or the server will appear
  74  * to be so slow that tests may time out.
  75  */
  76 int smb_reader_delay = 0;  /* mSec. */
  77 
  78 static int  smbsr_newrq_initial(smb_request_t *);
  79 
  80 static void smb_session_cancel(smb_session_t *);
  81 static int smb_session_reader(smb_session_t *);
  82 static int smb_session_xprt_puthdr(smb_session_t *,
  83     uint8_t msg_type, uint32_t msg_len,
  84     uint8_t *dst, size_t dstlen);
  85 static void smb_session_disconnect_trees(smb_session_t  *);
  86 static void smb_request_init_command_mbuf(smb_request_t *sr);
  87 static void smb_session_genkey(smb_session_t *);
  88 
  89 /*
  90  * This (legacy) code is in support of an "idle timeout" feature,
  91  * which is apparently incomplete.  To complete it, we should:
  92  * when the keep_alive timer expires, check whether the client
  93  * has any open files, and if not then kill their session.
  94  * Right now the timers are there, but nothing happens when
  95  * a timer expires.
  96  *
  97  * Todo: complete logic to kill idle sessions.
  98  *
  99  * Only called when sv_cfg.skc_keepalive != 0
 100  */
 101 void
 102 smb_session_timers(smb_server_t *sv)
 103 {
 104         smb_session_t   *session;
 105         smb_llist_t     *ll;
 106 
 107         ll = &sv->sv_session_list;
 108         smb_llist_enter(ll, RW_READER);
 109         session = smb_llist_head(ll);
 110         while (session != NULL) {
 111                 /*
 112                  * Walk through the table and decrement each keep_alive
 113                  * timer that has not timed out yet. (keepalive > 0)
 114                  */
 115                 SMB_SESSION_VALID(session);
 116                 if (session->keep_alive &&
 117                     (session->keep_alive != (uint32_t)-1))
 118                         session->keep_alive--;
 119 
 120                 session = smb_llist_next(ll, session);
 121         }
 122         smb_llist_exit(ll);
 123 }
 124 
 125 /*
 126  * Send a session message - supports SMB-over-NBT and SMB-over-TCP.
 127  * If an mbuf chain is provided (optional), it will be freed and
 128  * set to NULL -- unconditionally!  (error or not)
 129  *
 130  * Builds a I/O vector (uio/iov) to do the send from mbufs, plus one
 131  * segment for the 4-byte NBT header.
 132  */
 133 int
 134 smb_session_send(smb_session_t *session, uint8_t nbt_type, mbuf_chain_t *mbc)
 135 {
 136         uio_t           uio;
 137         iovec_t         local_iov[SMB_LOCAL_IOV_MAX];
 138         iovec_t         *alloc_iov = NULL;
 139         int             alloc_sz = 0;
 140         mbuf_t          *m;
 141         uint8_t         nbt_hdr[NETBIOS_HDR_SZ];
 142         uint32_t        nbt_len;
 143         int             i, nseg;
 144         int             rc;
 145 
 146         switch (session->s_state) {
 147         case SMB_SESSION_STATE_DISCONNECTED:
 148         case SMB_SESSION_STATE_TERMINATED:
 149                 rc = ENOTCONN;
 150                 goto out;
 151         default:
 152                 break;
 153         }
 154 
 155         /*
 156          * Setup the IOV.  First, count the number of IOV segments
 157          * (plus one for the NBT header) and decide whether we
 158          * need to allocate an iovec or can use local_iov;
 159          */
 160         bzero(&uio, sizeof (uio));
 161         nseg = 1;
 162         m = (mbc != NULL) ? mbc->chain : NULL;
 163         while (m != NULL) {
 164                 nseg++;
 165                 m = m->m_next;
 166         }
 167         if (nseg <= SMB_LOCAL_IOV_MAX) {
 168                 uio.uio_iov = local_iov;
 169         } else {
 170                 alloc_sz = nseg * sizeof (iovec_t);
 171                 alloc_iov = kmem_alloc(alloc_sz, KM_SLEEP);
 172                 uio.uio_iov = alloc_iov;
 173         }
 174         uio.uio_iovcnt = nseg;
 175         uio.uio_segflg = UIO_SYSSPACE;
 176         uio.uio_extflg = UIO_COPY_DEFAULT;
 177 
 178         /*
 179          * Build the iov list, meanwhile computing the length of
 180          * the SMB payload (to put in the NBT header).
 181          */
 182         uio.uio_iov[0].iov_base = (void *)nbt_hdr;
 183         uio.uio_iov[0].iov_len = sizeof (nbt_hdr);
 184         i = 1;
 185         nbt_len = 0;
 186         m = (mbc != NULL) ? mbc->chain : NULL;
 187         while (m != NULL) {
 188                 uio.uio_iov[i].iov_base = m->m_data;
 189                 uio.uio_iov[i++].iov_len = m->m_len;
 190                 nbt_len += m->m_len;
 191                 m = m->m_next;
 192         }
 193         ASSERT3S(i, ==, nseg);
 194 
 195         /*
 196          * Set the NBT header, set uio_resid
 197          */
 198         uio.uio_resid = nbt_len + NETBIOS_HDR_SZ;
 199         rc = smb_session_xprt_puthdr(session, nbt_type, nbt_len,
 200             nbt_hdr, NETBIOS_HDR_SZ);
 201         if (rc != 0)
 202                 goto out;
 203 
 204         smb_server_add_txb(session->s_server, (int64_t)uio.uio_resid);
 205         rc = smb_net_send_uio(session, &uio);
 206 
 207 out:
 208         if (alloc_iov != NULL)
 209                 kmem_free(alloc_iov, alloc_sz);
 210         if ((mbc != NULL) && (mbc->chain != NULL)) {
 211                 m_freem(mbc->chain);
 212                 mbc->chain = NULL;
 213                 mbc->flags = 0;
 214         }
 215         return (rc);
 216 }
 217 
 218 /*
 219  * Read, process and respond to a NetBIOS session request.
 220  *
 221  * A NetBIOS session must be established for SMB-over-NetBIOS.  Validate
 222  * the calling and called name format and save the client NetBIOS name,
 223  * which is used when a NetBIOS session is established to check for and
 224  * cleanup leftover state from a previous session.
 225  *
 226  * Session requests are not valid for SMB-over-TCP, which is unfortunate
 227  * because without the client name leftover state cannot be cleaned up
 228  * if the client is behind a NAT server.
 229  */
 230 static int
 231 smb_netbios_session_request(struct smb_session *session)
 232 {
 233         int                     rc;
 234         char                    *calling_name;
 235         char                    *called_name;
 236         char                    client_name[NETBIOS_NAME_SZ];
 237         struct mbuf_chain       mbc;
 238         char                    *names = NULL;
 239         smb_wchar_t             *wbuf = NULL;
 240         smb_xprt_t              hdr;
 241         char *p;
 242         int rc1, rc2;
 243 
 244         session->keep_alive = smb_keep_alive;
 245 
 246         if ((rc = smb_session_xprt_gethdr(session, &hdr)) != 0)
 247                 return (rc);
 248 
 249         DTRACE_PROBE2(receive__session__req__xprthdr, struct session *, session,
 250             smb_xprt_t *, &hdr);
 251 
 252         if ((hdr.xh_type != SESSION_REQUEST) ||
 253             (hdr.xh_length != NETBIOS_SESSION_REQUEST_DATA_LENGTH)) {
 254                 DTRACE_PROBE1(receive__session__req__failed,
 255                     struct session *, session);
 256                 return (EINVAL);
 257         }
 258 
 259         names = kmem_alloc(hdr.xh_length, KM_SLEEP);
 260 
 261         if ((rc = smb_sorecv(session->sock, names, hdr.xh_length)) != 0) {
 262                 kmem_free(names, hdr.xh_length);
 263                 DTRACE_PROBE1(receive__session__req__failed,
 264                     struct session *, session);
 265                 return (rc);
 266         }
 267 
 268         DTRACE_PROBE3(receive__session__req__data, struct session *, session,
 269             char *, names, uint32_t, hdr.xh_length);
 270 
 271         called_name = &names[0];
 272         calling_name = &names[NETBIOS_ENCODED_NAME_SZ + 2];
 273 
 274         rc1 = netbios_name_isvalid(called_name, 0);
 275         rc2 = netbios_name_isvalid(calling_name, client_name);
 276 
 277         if (rc1 == 0 || rc2 == 0) {
 278 
 279                 DTRACE_PROBE3(receive__invalid__session__req,
 280                     struct session *, session, char *, names,
 281                     uint32_t, hdr.xh_length);
 282 
 283                 kmem_free(names, hdr.xh_length);
 284                 MBC_INIT(&mbc, MAX_DATAGRAM_LENGTH);
 285                 (void) smb_mbc_encodef(&mbc, "b",
 286                     DATAGRAM_INVALID_SOURCE_NAME_FORMAT);
 287                 (void) smb_session_send(session, NEGATIVE_SESSION_RESPONSE,
 288                     &mbc);
 289                 return (EINVAL);
 290         }
 291 
 292         DTRACE_PROBE3(receive__session__req__calling__decoded,
 293             struct session *, session,
 294             char *, calling_name, char *, client_name);
 295 
 296         /*
 297          * The client NetBIOS name is in oem codepage format.
 298          * We need to convert it to unicode and store it in
 299          * multi-byte format.  We also need to strip off any
 300          * spaces added as part of the NetBIOS name encoding.
 301          */
 302         wbuf = kmem_alloc((SMB_PI_MAX_HOST * sizeof (smb_wchar_t)), KM_SLEEP);
 303         (void) oemtoucs(wbuf, client_name, SMB_PI_MAX_HOST, OEM_CPG_850);
 304         (void) smb_wcstombs(session->workstation, wbuf, SMB_PI_MAX_HOST);
 305         kmem_free(wbuf, (SMB_PI_MAX_HOST * sizeof (smb_wchar_t)));
 306 
 307         if ((p = strchr(session->workstation, ' ')) != 0)
 308                 *p = '\0';
 309 
 310         kmem_free(names, hdr.xh_length);
 311         return (smb_session_send(session, POSITIVE_SESSION_RESPONSE, NULL));
 312 }
 313 
 314 /*
 315  * Read 4-byte header from the session socket and build an in-memory
 316  * session transport header.  See smb_xprt_t definition for header
 317  * format information.
 318  *
 319  * Direct hosted NetBIOS-less SMB (SMB-over-TCP) uses port 445.  The
 320  * first byte of the four-byte header must be 0 and the next three
 321  * bytes contain the length of the remaining data.
 322  */
 323 int
 324 smb_session_xprt_gethdr(smb_session_t *session, smb_xprt_t *ret_hdr)
 325 {
 326         int             rc;
 327         unsigned char   buf[NETBIOS_HDR_SZ];
 328 
 329         if ((rc = smb_sorecv(session->sock, buf, NETBIOS_HDR_SZ)) != 0)
 330                 return (rc);
 331 
 332         switch (session->s_local_port) {
 333         case IPPORT_NETBIOS_SSN:
 334                 ret_hdr->xh_type = buf[0];
 335                 ret_hdr->xh_length = (((uint32_t)buf[1] & 1) << 16) |
 336                     ((uint32_t)buf[2] << 8) |
 337                     ((uint32_t)buf[3]);
 338                 break;
 339 
 340         case IPPORT_SMB:
 341                 ret_hdr->xh_type = buf[0];
 342 
 343                 if (ret_hdr->xh_type != 0) {
 344                         cmn_err(CE_WARN, "invalid NBT type (%u) from %s",
 345                             ret_hdr->xh_type, session->ip_addr_str);
 346                         return (EPROTO);
 347                 }
 348 
 349                 ret_hdr->xh_length = ((uint32_t)buf[1] << 16) |
 350                     ((uint32_t)buf[2] << 8) |
 351                     ((uint32_t)buf[3]);
 352                 break;
 353 
 354         default:
 355                 cmn_err(CE_WARN, "invalid port %u", session->s_local_port);
 356                 return (EPROTO);
 357         }
 358 
 359         return (0);
 360 }
 361 
 362 /*
 363  * Encode a transport session packet header into a 4-byte buffer.
 364  */
 365 static int
 366 smb_session_xprt_puthdr(smb_session_t *session,
 367     uint8_t msg_type, uint32_t msg_length,
 368     uint8_t *buf, size_t buflen)
 369 {
 370         if (buf == NULL || buflen < NETBIOS_HDR_SZ) {
 371                 return (-1);
 372         }
 373 
 374         switch (session->s_local_port) {
 375         case IPPORT_NETBIOS_SSN:
 376                 /* Per RFC 1001, 1002: msg. len < 128KB */
 377                 if (msg_length >= (1 << 17))
 378                         return (-1);
 379                 buf[0] = msg_type;
 380                 buf[1] = ((msg_length >> 16) & 1);
 381                 buf[2] = (msg_length >> 8) & 0xff;
 382                 buf[3] = msg_length & 0xff;
 383                 break;
 384 
 385         case IPPORT_SMB:
 386                 /*
 387                  * SMB over TCP is like NetBIOS but the one byte
 388                  * message type is always zero, and the length
 389                  * part is three bytes.  It could actually use
 390                  * longer messages, but this is conservative.
 391                  */
 392                 if (msg_length >= (1 << 24))
 393                         return (-1);
 394                 buf[0] = msg_type;
 395                 buf[1] = (msg_length >> 16) & 0xff;
 396                 buf[2] = (msg_length >> 8) & 0xff;
 397                 buf[3] = msg_length & 0xff;
 398                 break;
 399 
 400         default:
 401                 cmn_err(CE_WARN, "invalid port %u", session->s_local_port);
 402                 return (-1);
 403         }
 404 
 405         return (0);
 406 }
 407 
 408 static void
 409 smb_request_init_command_mbuf(smb_request_t *sr)
 410 {
 411 
 412         /*
 413          * Setup mbuf using the buffer we allocated.
 414          */
 415         MBC_ATTACH_BUF(&sr->command, sr->sr_request_buf, sr->sr_req_length);
 416 
 417         sr->command.flags = 0;
 418         sr->command.shadow_of = NULL;
 419 }
 420 
 421 /*
 422  * smb_request_cancel
 423  *
 424  * Handle a cancel for a request properly depending on the current request
 425  * state.
 426  */
 427 void
 428 smb_request_cancel(smb_request_t *sr)
 429 {
 430         void (*cancel_method)(smb_request_t *) = NULL;
 431 
 432         mutex_enter(&sr->sr_mutex);
 433         switch (sr->sr_state) {
 434 
 435         case SMB_REQ_STATE_INITIALIZING:
 436         case SMB_REQ_STATE_SUBMITTED:
 437         case SMB_REQ_STATE_ACTIVE:
 438         case SMB_REQ_STATE_CLEANED_UP:
 439                 sr->sr_state = SMB_REQ_STATE_CANCELLED;
 440                 break;
 441 
 442         case SMB_REQ_STATE_WAITING_AUTH:
 443         case SMB_REQ_STATE_WAITING_FCN1:
 444         case SMB_REQ_STATE_WAITING_LOCK:
 445         case SMB_REQ_STATE_WAITING_PIPE:
 446                 /*
 447                  * These are states that have a cancel_method.
 448                  * Make the state change now, to ensure that
 449                  * we call cancel_method exactly once.  Do the
 450                  * method call below, after we drop sr_mutex.
 451                  * When the cancelled request thread resumes,
 452                  * it should re-take sr_mutex and set sr_state
 453                  * to CANCELLED, then return STATUS_CANCELLED.
 454                  */
 455                 sr->sr_state = SMB_REQ_STATE_CANCEL_PENDING;
 456                 cancel_method = sr->cancel_method;
 457                 VERIFY(cancel_method != NULL);
 458                 break;
 459 
 460         case SMB_REQ_STATE_WAITING_FCN2:
 461         case SMB_REQ_STATE_COMPLETED:
 462         case SMB_REQ_STATE_CANCEL_PENDING:
 463         case SMB_REQ_STATE_CANCELLED:
 464                 /*
 465                  * No action required for these states since the request
 466                  * is completing.
 467                  */
 468                 break;
 469 
 470         case SMB_REQ_STATE_FREE:
 471         default:
 472                 SMB_PANIC();
 473         }
 474         mutex_exit(&sr->sr_mutex);
 475 
 476         if (cancel_method != NULL) {
 477                 cancel_method(sr);
 478         }
 479 }
 480 
 481 /*
 482  * smb_session_receiver
 483  *
 484  * Receives request from the network and dispatches them to a worker.
 485  *
 486  * When we receive a disconnect here, it _could_ be due to the server
 487  * having initiated disconnect, in which case the session state will be
 488  * SMB_SESSION_STATE_TERMINATED and we want to keep that state so later
 489  * tear-down logic will know which side initiated.
 490  */
 491 void
 492 smb_session_receiver(smb_session_t *session)
 493 {
 494         int     rc = 0;
 495         timeout_id_t tmo = NULL;
 496 
 497         SMB_SESSION_VALID(session);
 498 
 499         session->s_thread = curthread;
 500 
 501         if (session->s_local_port == IPPORT_NETBIOS_SSN) {
 502                 rc = smb_netbios_session_request(session);
 503                 if (rc != 0) {
 504                         smb_rwx_rwenter(&session->s_lock, RW_WRITER);
 505                         if (session->s_state != SMB_SESSION_STATE_TERMINATED)
 506                                 session->s_state =
 507                                     SMB_SESSION_STATE_DISCONNECTED;
 508                         smb_rwx_rwexit(&session->s_lock);
 509                         return;
 510                 }
 511         }
 512 
 513         smb_rwx_rwenter(&session->s_lock, RW_WRITER);
 514         session->s_state = SMB_SESSION_STATE_ESTABLISHED;
 515         session->s_auth_tmo = timeout((tmo_func_t)smb_session_disconnect,
 516             session, SEC_TO_TICK(smb_session_auth_tmo));
 517         smb_rwx_rwexit(&session->s_lock);
 518 
 519         (void) smb_session_reader(session);
 520 
 521         smb_rwx_rwenter(&session->s_lock, RW_WRITER);
 522         if (session->s_state != SMB_SESSION_STATE_TERMINATED)
 523                 session->s_state = SMB_SESSION_STATE_DISCONNECTED;
 524         tmo = session->s_auth_tmo;
 525         session->s_auth_tmo = NULL;
 526         smb_rwx_rwexit(&session->s_lock);
 527 
 528         /* Timeout callback takes s_lock. See untimeout(9f) */
 529         if (tmo != NULL)
 530                 (void) untimeout(tmo);
 531 
 532         smb_soshutdown(session->sock);
 533 
 534         DTRACE_PROBE2(session__drop, struct session *, session, int, rc);
 535 
 536         smb_session_cancel(session);
 537         /*
 538          * At this point everything related to the session should have been
 539          * cleaned up and we expect that nothing will attempt to use the
 540          * socket.
 541          */
 542 }
 543 
 544 /*
 545  * smb_session_disconnect
 546  *
 547  * Server-initiated disconnect (i.e. server shutdown)
 548  */
 549 void
 550 smb_session_disconnect(smb_session_t *session)
 551 {
 552         SMB_SESSION_VALID(session);
 553 
 554         smb_rwx_rwenter(&session->s_lock, RW_WRITER);
 555         switch (session->s_state) {
 556         case SMB_SESSION_STATE_INITIALIZED:
 557         case SMB_SESSION_STATE_CONNECTED:
 558         case SMB_SESSION_STATE_ESTABLISHED:
 559         case SMB_SESSION_STATE_NEGOTIATED:
 560                 smb_soshutdown(session->sock);
 561                 session->s_state = SMB_SESSION_STATE_TERMINATED;
 562                 break;
 563         case SMB_SESSION_STATE_DISCONNECTED:
 564         case SMB_SESSION_STATE_TERMINATED:
 565                 break;
 566         }
 567         smb_rwx_rwexit(&session->s_lock);
 568 }
 569 
 570 /*
 571  * Read and process SMB requests.
 572  *
 573  * Returns:
 574  *      0       Success
 575  *      1       Unable to read transport header
 576  *      2       Invalid transport header type
 577  *      3       Invalid SMB length (too small)
 578  *      4       Unable to read SMB header
 579  *      5       Invalid SMB header (bad magic number)
 580  *      6       Unable to read SMB data
 581  */
 582 static int
 583 smb_session_reader(smb_session_t *session)
 584 {
 585         smb_server_t    *sv;
 586         smb_request_t   *sr = NULL;
 587         smb_xprt_t      hdr;
 588         uint8_t         *req_buf;
 589         uint32_t        resid;
 590         int             rc;
 591 
 592         sv = session->s_server;
 593 
 594         for (;;) {
 595 
 596                 rc = smb_session_xprt_gethdr(session, &hdr);
 597                 if (rc)
 598                         return (rc);
 599 
 600                 DTRACE_PROBE2(session__receive__xprthdr, session_t *, session,
 601                     smb_xprt_t *, &hdr);
 602 
 603                 if (hdr.xh_type != SESSION_MESSAGE) {
 604                         /*
 605                          * Anything other than SESSION_MESSAGE or
 606                          * SESSION_KEEP_ALIVE is an error.  A SESSION_REQUEST
 607                          * may indicate a new session request but we need to
 608                          * close this session and we can treat it as an error
 609                          * here.
 610                          */
 611                         if (hdr.xh_type == SESSION_KEEP_ALIVE) {
 612                                 session->keep_alive = smb_keep_alive;
 613                                 continue;
 614                         }
 615                         return (EPROTO);
 616                 }
 617 
 618                 if (hdr.xh_length == 0) {
 619                         /* zero length is another form of keep alive */
 620                         session->keep_alive = smb_keep_alive;
 621                         continue;
 622                 }
 623 
 624                 if (hdr.xh_length < SMB_HEADER_LEN)
 625                         return (EPROTO);
 626                 if (hdr.xh_length > session->cmd_max_bytes)
 627                         return (EPROTO);
 628 
 629                 session->keep_alive = smb_keep_alive;
 630 
 631                 /*
 632                  * Allocate a request context, read the whole message.
 633                  * If the request alloc fails, we've disconnected
 634                  * and won't be able to send the reply anyway, so bail now.
 635                  */
 636                 if ((sr = smb_request_alloc(session, hdr.xh_length)) == NULL)
 637                         break;
 638 
 639                 req_buf = (uint8_t *)sr->sr_request_buf;
 640                 resid = hdr.xh_length;
 641 
 642                 rc = smb_sorecv(session->sock, req_buf, resid);
 643                 if (rc) {
 644                         smb_request_free(sr);
 645                         break;
 646                 }
 647 
 648                 /* accounting: received bytes */
 649                 smb_server_add_rxb(sv,
 650                     (int64_t)(hdr.xh_length + NETBIOS_HDR_SZ));
 651 
 652                 /*
 653                  * Initialize command MBC to represent the received data.
 654                  */
 655                 smb_request_init_command_mbuf(sr);
 656 
 657                 DTRACE_PROBE1(session__receive__smb, smb_request_t *, sr);
 658 
 659                 rc = session->newrq_func(sr);
 660                 sr = NULL;      /* enqueued or freed */
 661                 if (rc != 0)
 662                         break;
 663 
 664                 /* See notes where this is defined (above). */
 665                 if (smb_reader_delay) {
 666                         delay(MSEC_TO_TICK(smb_reader_delay));
 667                 }
 668         }
 669         return (rc);
 670 }
 671 
 672 /*
 673  * This is the initial handler for new smb requests, called from
 674  * from smb_session_reader when we have not yet seen any requests.
 675  * The first SMB request must be "negotiate", which determines
 676  * which protocol and dialect we'll be using.  That's the ONLY
 677  * request type handled here, because with all later requests,
 678  * we know the protocol and handle those with either the SMB1 or
 679  * SMB2 handlers:  smb1sr_post() or smb2sr_post().
 680  * Those do NOT allow SMB negotiate, because that's only allowed
 681  * as the first request on new session.
 682  *
 683  * This and other "post a request" handlers must either enqueue
 684  * the new request for the session taskq, or smb_request_free it
 685  * (in case we've decided to drop this connection).  In this
 686  * (special) new request handler, we always free the request.
 687  *
 688  * Return value is 0 for success, and anything else will
 689  * terminate the reader thread (drop the connection).
 690  */
 691 static int
 692 smbsr_newrq_initial(smb_request_t *sr)
 693 {
 694         uint32_t magic;
 695         int rc = EPROTO;
 696 
 697         mutex_enter(&sr->sr_mutex);
 698         sr->sr_state = SMB_REQ_STATE_ACTIVE;
 699         mutex_exit(&sr->sr_mutex);
 700 
 701         magic = SMB_READ_PROTOCOL(sr->sr_request_buf);
 702         if (magic == SMB_PROTOCOL_MAGIC)
 703                 rc = smb1_newrq_negotiate(sr);
 704         if (magic == SMB2_PROTOCOL_MAGIC)
 705                 rc = smb2_newrq_negotiate(sr);
 706 
 707         mutex_enter(&sr->sr_mutex);
 708         sr->sr_state = SMB_REQ_STATE_COMPLETED;
 709         mutex_exit(&sr->sr_mutex);
 710 
 711         smb_request_free(sr);
 712         return (rc);
 713 }
 714 
 715 /*
 716  * Port will be IPPORT_NETBIOS_SSN or IPPORT_SMB.
 717  */
 718 smb_session_t *
 719 smb_session_create(ksocket_t new_so, uint16_t port, smb_server_t *sv,
 720     int family)
 721 {
 722         struct sockaddr_in      sin;
 723         socklen_t               slen;
 724         struct sockaddr_in6     sin6;
 725         smb_session_t           *session;
 726         int64_t                 now;
 727         uint16_t                rport;
 728 
 729         session = kmem_cache_alloc(smb_cache_session, KM_SLEEP);
 730         bzero(session, sizeof (smb_session_t));
 731 
 732         if (smb_idpool_constructor(&session->s_uid_pool)) {
 733                 kmem_cache_free(smb_cache_session, session);
 734                 return (NULL);
 735         }
 736         if (smb_idpool_constructor(&session->s_tid_pool)) {
 737                 smb_idpool_destructor(&session->s_uid_pool);
 738                 kmem_cache_free(smb_cache_session, session);
 739                 return (NULL);
 740         }
 741 
 742         now = ddi_get_lbolt64();
 743 
 744         session->s_server = sv;
 745         session->s_kid = SMB_NEW_KID();
 746         session->s_state = SMB_SESSION_STATE_INITIALIZED;
 747         session->native_os = NATIVE_OS_UNKNOWN;
 748         session->opentime = now;
 749         session->keep_alive = smb_keep_alive;
 750         session->activity_timestamp = now;
 751         smb_session_genkey(session);
 752 
 753         mutex_init(&session->s_credits_mutex, NULL, MUTEX_DEFAULT, NULL);
 754 
 755         smb_slist_constructor(&session->s_req_list, sizeof (smb_request_t),
 756             offsetof(smb_request_t, sr_session_lnd));
 757 
 758         smb_llist_constructor(&session->s_user_list, sizeof (smb_user_t),
 759             offsetof(smb_user_t, u_lnd));
 760 
 761         smb_llist_constructor(&session->s_tree_list, sizeof (smb_tree_t),
 762             offsetof(smb_tree_t, t_lnd));
 763 
 764         smb_llist_constructor(&session->s_xa_list, sizeof (smb_xa_t),
 765             offsetof(smb_xa_t, xa_lnd));
 766 
 767         smb_net_txl_constructor(&session->s_txlst);
 768 
 769         smb_rwx_init(&session->s_lock);
 770 
 771         session->s_srqueue = &sv->sv_srqueue;
 772         smb_server_get_cfg(sv, &session->s_cfg);
 773 
 774         if (new_so == NULL) {
 775                 /*
 776                  * This call is creating the special "server" session,
 777                  * used for kshare export, oplock breaks, CA import.
 778                  * CA import creates temporary trees on this session
 779                  * and those should never get map/unmap up-calls, so
 780                  * force the map/unmap flags zero on this session.
 781                  * Set a "modern" dialect for CA import too, so
 782                  * pathname parse doesn't do OS/2 stuff, etc.
 783                  */
 784                 session->s_cfg.skc_execflags = 0;
 785                 session->dialect = session->s_cfg.skc_max_protocol;
 786         } else {
 787                 if (family == AF_INET) {
 788                         slen = sizeof (sin);
 789                         (void) ksocket_getsockname(new_so,
 790                             (struct sockaddr *)&sin, &slen, CRED());
 791                         bcopy(&sin.sin_addr,
 792                             &session->local_ipaddr.au_addr.au_ipv4,
 793                             sizeof (in_addr_t));
 794                         slen = sizeof (sin);
 795                         (void) ksocket_getpeername(new_so,
 796                             (struct sockaddr *)&sin, &slen, CRED());
 797                         bcopy(&sin.sin_addr,
 798                             &session->ipaddr.au_addr.au_ipv4,
 799                             sizeof (in_addr_t));
 800                         rport = sin.sin_port;
 801                 } else {
 802                         slen = sizeof (sin6);
 803                         (void) ksocket_getsockname(new_so,
 804                             (struct sockaddr *)&sin6, &slen, CRED());
 805                         bcopy(&sin6.sin6_addr,
 806                             &session->local_ipaddr.au_addr.au_ipv6,
 807                             sizeof (in6_addr_t));
 808                         slen = sizeof (sin6);
 809                         (void) ksocket_getpeername(new_so,
 810                             (struct sockaddr *)&sin6, &slen, CRED());
 811                         bcopy(&sin6.sin6_addr,
 812                             &session->ipaddr.au_addr.au_ipv6,
 813                             sizeof (in6_addr_t));
 814                         rport = sin6.sin6_port;
 815                 }
 816                 session->ipaddr.a_family = family;
 817                 session->local_ipaddr.a_family = family;
 818                 session->s_local_port = port;
 819                 session->s_remote_port = ntohs(rport);
 820                 session->sock = new_so;
 821                 (void) smb_inet_ntop(&session->ipaddr,
 822                     session->ip_addr_str, INET6_ADDRSTRLEN);
 823                 if (port == IPPORT_NETBIOS_SSN)
 824                         smb_server_inc_nbt_sess(sv);
 825                 else
 826                         smb_server_inc_tcp_sess(sv);
 827         }
 828 
 829         /*
 830          * The initial new request handler is special,
 831          * and only accepts negotiation requests.
 832          */
 833         session->newrq_func = smbsr_newrq_initial;
 834 
 835         /* These may increase in SMB2 negotiate. */
 836         session->cmd_max_bytes = SMB_REQ_MAX_SIZE;
 837         session->reply_max_bytes = SMB_REQ_MAX_SIZE;
 838 
 839         session->s_magic = SMB_SESSION_MAGIC;
 840         return (session);
 841 }
 842 
 843 void
 844 smb_session_delete(smb_session_t *session)
 845 {
 846 
 847         ASSERT(session->s_magic == SMB_SESSION_MAGIC);
 848 
 849         if (session->enc_mech != NULL)
 850                 smb3_encrypt_fini(session);
 851 
 852         if (session->sign_fini != NULL)
 853                 session->sign_fini(session);
 854 
 855         if (session->signing.mackey != NULL) {
 856                 kmem_free(session->signing.mackey,
 857                     session->signing.mackey_len);
 858         }
 859 
 860         session->s_magic = 0;
 861 
 862         smb_rwx_destroy(&session->s_lock);
 863         smb_net_txl_destructor(&session->s_txlst);
 864 
 865         mutex_destroy(&session->s_credits_mutex);
 866 
 867         smb_slist_destructor(&session->s_req_list);
 868         smb_llist_destructor(&session->s_tree_list);
 869         smb_llist_destructor(&session->s_user_list);
 870         smb_llist_destructor(&session->s_xa_list);
 871 
 872         ASSERT(session->s_tree_cnt == 0);
 873         ASSERT(session->s_file_cnt == 0);
 874         ASSERT(session->s_dir_cnt == 0);
 875 
 876         smb_idpool_destructor(&session->s_tid_pool);
 877         smb_idpool_destructor(&session->s_uid_pool);
 878         if (session->sock != NULL) {
 879                 if (session->s_local_port == IPPORT_NETBIOS_SSN)
 880                         smb_server_dec_nbt_sess(session->s_server);
 881                 else
 882                         smb_server_dec_tcp_sess(session->s_server);
 883                 smb_sodestroy(session->sock);
 884         }
 885         kmem_cache_free(smb_cache_session, session);
 886 }
 887 
 888 static void
 889 smb_session_cancel(smb_session_t *session)
 890 {
 891         smb_xa_t        *xa, *nextxa;
 892 
 893         /* All the request currently being treated must be canceled. */
 894         smb_session_cancel_requests(session, NULL, NULL);
 895 
 896         /*
 897          * We wait for the completion of all the requests associated with
 898          * this session.
 899          */
 900         smb_slist_wait_for_empty(&session->s_req_list);
 901 
 902         /*
 903          * Cleanup transact state objects
 904          */
 905         xa = smb_llist_head(&session->s_xa_list);
 906         while (xa) {
 907                 nextxa = smb_llist_next(&session->s_xa_list, xa);
 908                 smb_xa_close(xa);
 909                 xa = nextxa;
 910         }
 911 
 912         /*
 913          * At this point the reference count of the files and directories
 914          * should be zero. It should be possible to destroy them without
 915          * any problem, which should trigger the destruction of other objects.
 916          */
 917         smb_session_logoff(session);
 918 }
 919 
 920 /*
 921  * Cancel requests.  If a non-null tree is specified, only requests specific
 922  * to that tree will be cancelled.  If a non-null sr is specified, that sr
 923  * will be not be cancelled - this would typically be the caller's sr.
 924  */
 925 void
 926 smb_session_cancel_requests(
 927     smb_session_t       *session,
 928     smb_tree_t          *tree,
 929     smb_request_t       *exclude_sr)
 930 {
 931         smb_request_t   *sr;
 932 
 933         smb_slist_enter(&session->s_req_list);
 934         sr = smb_slist_head(&session->s_req_list);
 935 
 936         while (sr) {
 937                 ASSERT(sr->sr_magic == SMB_REQ_MAGIC);
 938                 if ((sr != exclude_sr) &&
 939                     (tree == NULL || sr->tid_tree == tree))
 940                         smb_request_cancel(sr);
 941 
 942                 sr = smb_slist_next(&session->s_req_list, sr);
 943         }
 944 
 945         smb_slist_exit(&session->s_req_list);
 946 }
 947 
 948 /*
 949  * Find a user on the specified session by SMB UID.
 950  */
 951 smb_user_t *
 952 smb_session_lookup_uid(smb_session_t *session, uint16_t uid)
 953 {
 954         return (smb_session_lookup_uid_st(session, 0, uid,
 955             SMB_USER_STATE_LOGGED_ON));
 956 }
 957 
 958 /*
 959  * Find a user on the specified session by SMB2 SSNID.
 960  */
 961 smb_user_t *
 962 smb_session_lookup_ssnid(smb_session_t *session, uint64_t ssnid)
 963 {
 964         return (smb_session_lookup_uid_st(session, ssnid, 0,
 965             SMB_USER_STATE_LOGGED_ON));
 966 }
 967 
 968 smb_user_t *
 969 smb_session_lookup_uid_st(smb_session_t *session, uint64_t ssnid,
 970     uint16_t uid, smb_user_state_t st)
 971 {
 972         smb_user_t      *user;
 973         smb_llist_t     *user_list;
 974 
 975         SMB_SESSION_VALID(session);
 976 
 977         user_list = &session->s_user_list;
 978         smb_llist_enter(user_list, RW_READER);
 979 
 980         for (user = smb_llist_head(user_list);
 981             user != NULL;
 982             user = smb_llist_next(user_list, user)) {
 983 
 984                 SMB_USER_VALID(user);
 985                 ASSERT(user->u_session == session);
 986 
 987                 if (user->u_ssnid != ssnid && user->u_uid != uid)
 988                         continue;
 989 
 990                 mutex_enter(&user->u_mutex);
 991                 if (user->u_state == st) {
 992                         // smb_user_hold_internal(user);
 993                         user->u_refcnt++;
 994                         mutex_exit(&user->u_mutex);
 995                         break;
 996                 }
 997                 mutex_exit(&user->u_mutex);
 998         }
 999 
1000         smb_llist_exit(user_list);
1001         return (user);
1002 }
1003 
1004 /*
1005  * Find a tree by tree-id.
1006  */
1007 smb_tree_t *
1008 smb_session_lookup_tree(
1009     smb_session_t       *session,
1010     uint16_t            tid)
1011 {
1012         smb_tree_t      *tree;
1013 
1014         SMB_SESSION_VALID(session);
1015 
1016         smb_llist_enter(&session->s_tree_list, RW_READER);
1017         tree = smb_llist_head(&session->s_tree_list);
1018 
1019         while (tree) {
1020                 ASSERT3U(tree->t_magic, ==, SMB_TREE_MAGIC);
1021                 ASSERT(tree->t_session == session);
1022 
1023                 if (tree->t_tid == tid) {
1024                         if (smb_tree_hold(tree)) {
1025                                 smb_llist_exit(&session->s_tree_list);
1026                                 return (tree);
1027                         } else {
1028                                 smb_llist_exit(&session->s_tree_list);
1029                                 return (NULL);
1030                         }
1031                 }
1032 
1033                 tree = smb_llist_next(&session->s_tree_list, tree);
1034         }
1035 
1036         smb_llist_exit(&session->s_tree_list);
1037         return (NULL);
1038 }
1039 
1040 /*
1041  * Disconnect all trees that match the specified client process-id.
1042  * Used by the SMB1 "process exit" request.
1043  */
1044 void
1045 smb_session_close_pid(
1046     smb_session_t       *session,
1047     uint32_t            pid)
1048 {
1049         smb_llist_t     *tree_list = &session->s_tree_list;
1050         smb_tree_t      *tree;
1051 
1052         smb_llist_enter(tree_list, RW_READER);
1053 
1054         tree = smb_llist_head(tree_list);
1055         while (tree) {
1056                 if (smb_tree_hold(tree)) {
1057                         smb_tree_close_pid(tree, pid);
1058                         smb_tree_release(tree);
1059                 }
1060                 tree = smb_llist_next(tree_list, tree);
1061         }
1062 
1063         smb_llist_exit(tree_list);
1064 }
1065 
1066 static void
1067 smb_session_tree_dtor(void *arg)
1068 {
1069         smb_tree_t      *tree = arg;
1070 
1071         smb_tree_disconnect(tree, B_TRUE);
1072         /* release the ref acquired during the traversal loop */
1073         smb_tree_release(tree);
1074 }
1075 
1076 
1077 /*
1078  * Disconnect all trees that this user has connected.
1079  */
1080 void
1081 smb_session_disconnect_owned_trees(
1082     smb_session_t       *session,
1083     smb_user_t          *owner)
1084 {
1085         smb_tree_t      *tree;
1086         smb_llist_t     *tree_list = &session->s_tree_list;
1087 
1088         SMB_SESSION_VALID(session);
1089         SMB_USER_VALID(owner);
1090 
1091         smb_llist_enter(tree_list, RW_READER);
1092 
1093         tree = smb_llist_head(tree_list);
1094         while (tree) {
1095                 if ((tree->t_owner == owner) &&
1096                     smb_tree_hold(tree)) {
1097                         /*
1098                          * smb_tree_hold() succeeded, hence we are in state
1099                          * SMB_TREE_STATE_CONNECTED; schedule this tree
1100                          * for disconnect after smb_llist_exit because
1101                          * the "unmap exec" up-call can block, and we'd
1102                          * rather not block with the tree list locked.
1103                          */
1104                         smb_llist_post(tree_list, tree, smb_session_tree_dtor);
1105                 }
1106                 tree = smb_llist_next(tree_list, tree);
1107         }
1108 
1109         /* drop the lock and flush the dtor queue */
1110         smb_llist_exit(tree_list);
1111 }
1112 
1113 /*
1114  * Disconnect all trees that this user has connected.
1115  */
1116 static void
1117 smb_session_disconnect_trees(
1118     smb_session_t       *session)
1119 {
1120         smb_llist_t     *tree_list = &session->s_tree_list;
1121         smb_tree_t      *tree;
1122 
1123         smb_llist_enter(tree_list, RW_READER);
1124 
1125         tree = smb_llist_head(tree_list);
1126         while (tree) {
1127                 if (smb_tree_hold(tree)) {
1128                         smb_llist_post(tree_list, tree,
1129                             smb_session_tree_dtor);
1130                 }
1131                 tree = smb_llist_next(tree_list, tree);
1132         }
1133 
1134         /* drop the lock and flush the dtor queue */
1135         smb_llist_exit(tree_list);
1136 }
1137 
1138 /*
1139  * Variant of smb_session_tree_dtor that also
1140  * cancels requests using this tree.
1141  */
1142 static void
1143 smb_session_tree_kill(void *arg)
1144 {
1145         smb_tree_t      *tree = arg;
1146 
1147         SMB_TREE_VALID(tree);
1148 
1149         smb_tree_disconnect(tree, B_TRUE);
1150         smb_session_cancel_requests(tree->t_session, tree, NULL);
1151 
1152         /* release the ref acquired during the traversal loop */
1153         smb_tree_release(tree);
1154 }
1155 
1156 /*
1157  * Disconnect all trees that match the specified share name,
1158  * and kill requests using those trees.
1159  */
1160 void
1161 smb_session_disconnect_share(
1162     smb_session_t       *session,
1163     const char          *sharename)
1164 {
1165         smb_llist_t     *ll;
1166         smb_tree_t      *tree;
1167 
1168         SMB_SESSION_VALID(session);
1169 
1170         ll = &session->s_tree_list;
1171         smb_llist_enter(ll, RW_READER);
1172 
1173         for (tree = smb_llist_head(ll);
1174             tree != NULL;
1175             tree = smb_llist_next(ll, tree)) {
1176 
1177                 SMB_TREE_VALID(tree);
1178                 ASSERT(tree->t_session == session);
1179 
1180                 if (smb_strcasecmp(tree->t_sharename, sharename, 0) != 0)
1181                         continue;
1182 
1183                 if (smb_tree_hold(tree)) {
1184                         smb_llist_post(ll, tree,
1185                             smb_session_tree_kill);
1186                 }
1187         }
1188 
1189         smb_llist_exit(ll);
1190 }
1191 
1192 /*
1193  * Logoff all users associated with the specified session.
1194  *
1195  * This is called for both server-initiated disconnect
1196  * (SMB_SESSION_STATE_TERMINATED) and client-initiated
1197  * disconnect (SMB_SESSION_STATE_DISCONNECTED).
1198  * If client-initiated, save durable handles.
1199  */
1200 void
1201 smb_session_logoff(smb_session_t *session)
1202 {
1203         smb_llist_t     *ulist;
1204         smb_user_t      *user;
1205 
1206         SMB_SESSION_VALID(session);
1207 
1208 top:
1209         ulist = &session->s_user_list;
1210         smb_llist_enter(ulist, RW_READER);
1211 
1212         user = smb_llist_head(ulist);
1213         while (user) {
1214                 SMB_USER_VALID(user);
1215                 ASSERT(user->u_session == session);
1216 
1217                 mutex_enter(&user->u_mutex);
1218                 switch (user->u_state) {
1219                 case SMB_USER_STATE_LOGGING_ON:
1220                 case SMB_USER_STATE_LOGGED_ON:
1221                         // smb_user_hold_internal(user);
1222                         user->u_refcnt++;
1223                         mutex_exit(&user->u_mutex);
1224                         smb_user_logoff(user);
1225                         smb_user_release(user);
1226                         break;
1227 
1228                 case SMB_USER_STATE_LOGGED_OFF:
1229                 case SMB_USER_STATE_LOGGING_OFF:
1230                         mutex_exit(&user->u_mutex);
1231                         break;
1232 
1233                 default:
1234                         mutex_exit(&user->u_mutex);
1235                         ASSERT(0);
1236                         break;
1237                 }
1238 
1239                 user = smb_llist_next(ulist, user);
1240         }
1241 
1242         /* Needed below (Was the list empty?) */
1243         user = smb_llist_head(ulist);
1244 
1245         smb_llist_exit(ulist);
1246 
1247         /*
1248          * It's possible for user objects to remain due to references
1249          * obtained via smb_server_lookup_ssnid(), when an SMB2
1250          * session setup is destroying a previous session.
1251          *
1252          * Wait for user objects to clear out (last refs. go away,
1253          * then smb_user_delete takes them out of the list).  When
1254          * the last user object is removed, the session state is
1255          * set to SHUTDOWN and s_lock is signaled.
1256          *
1257          * Not all places that call smb_user_release necessarily
1258          * flush the delete queue, so after we wait for the list
1259          * to empty out, go back to the top and recheck the list
1260          * delete queue to make sure smb_user_delete happens.
1261          */
1262         if (user == NULL) {
1263                 /* User list is empty. */
1264                 smb_rwx_rwenter(&session->s_lock, RW_WRITER);
1265                 session->s_state = SMB_SESSION_STATE_SHUTDOWN;
1266                 smb_rwx_rwexit(&session->s_lock);
1267         } else {
1268                 smb_rwx_rwenter(&session->s_lock, RW_READER);
1269                 if (session->s_state != SMB_SESSION_STATE_SHUTDOWN) {
1270                         (void) smb_rwx_cvwait(&session->s_lock,
1271                             MSEC_TO_TICK(200));
1272                         smb_rwx_rwexit(&session->s_lock);
1273                         goto top;
1274                 }
1275                 smb_rwx_rwexit(&session->s_lock);
1276         }
1277         ASSERT(session->s_state == SMB_SESSION_STATE_SHUTDOWN);
1278 
1279         /*
1280          * User list should be empty now.
1281          */
1282 #ifdef  DEBUG
1283         if (ulist->ll_count != 0) {
1284                 cmn_err(CE_WARN, "user list not empty?");
1285                 debug_enter("s_user_list");
1286         }
1287 #endif
1288 
1289         /*
1290          * User logoff happens first so we'll set preserve_opens
1291          * for client-initiated disconnect.  When that's done
1292          * there should be no trees left, but check anyway.
1293          */
1294         smb_session_disconnect_trees(session);
1295 }
1296 
1297 /*
1298  * Copy the session workstation/client name to buf.  If the workstation
1299  * is an empty string (which it will be on TCP connections), use the
1300  * client IP address.
1301  */
1302 void
1303 smb_session_getclient(smb_session_t *sn, char *buf, size_t buflen)
1304 {
1305 
1306         *buf = '\0';
1307 
1308         if (sn->workstation[0] != '\0') {
1309                 (void) strlcpy(buf, sn->workstation, buflen);
1310                 return;
1311         }
1312 
1313         (void) strlcpy(buf, sn->ip_addr_str, buflen);
1314 }
1315 
1316 /*
1317  * Check whether or not the specified client name is the client of this
1318  * session.  The name may be in UNC format (\\CLIENT).
1319  *
1320  * A workstation/client name is setup on NBT connections as part of the
1321  * NetBIOS session request but that isn't available on TCP connections.
1322  * If the session doesn't have a client name we typically return the
1323  * client IP address as the workstation name on MSRPC requests.  So we
1324  * check for the IP address here in addition to the workstation name.
1325  */
1326 boolean_t
1327 smb_session_isclient(smb_session_t *sn, const char *client)
1328 {
1329 
1330         client += strspn(client, "\\");
1331 
1332         if (smb_strcasecmp(client, sn->workstation, 0) == 0)
1333                 return (B_TRUE);
1334 
1335         if (smb_strcasecmp(client, sn->ip_addr_str, 0) == 0)
1336                 return (B_TRUE);
1337 
1338         return (B_FALSE);
1339 }
1340 
1341 /*
1342  * smb_request_alloc
1343  *
1344  * Allocate an smb_request_t structure from the kmem_cache.  Partially
1345  * initialize the found/new request.
1346  *
1347  * Returns pointer to a request, or NULL if the session state is
1348  * one in which new requests are no longer allowed.
1349  */
1350 smb_request_t *
1351 smb_request_alloc(smb_session_t *session, int req_length)
1352 {
1353         smb_request_t   *sr;
1354 
1355         ASSERT(session->s_magic == SMB_SESSION_MAGIC);
1356         ASSERT(req_length <= session->cmd_max_bytes);
1357 
1358         sr = kmem_cache_alloc(smb_cache_request, KM_SLEEP);
1359 
1360         /*
1361          * Future:  Use constructor to pre-initialize some fields.  For now
1362          * there are so many fields that it is easiest just to zero the
1363          * whole thing and start over.
1364          */
1365         bzero(sr, sizeof (smb_request_t));
1366 
1367         mutex_init(&sr->sr_mutex, NULL, MUTEX_DEFAULT, NULL);
1368         smb_srm_init(sr);
1369         sr->session = session;
1370         sr->sr_server = session->s_server;
1371         sr->sr_gmtoff = session->s_server->si_gmtoff;
1372         sr->sr_cfg = &session->s_cfg;
1373         sr->command.max_bytes = req_length;
1374         sr->reply.max_bytes = session->reply_max_bytes;
1375         sr->sr_req_length = req_length;
1376         if (req_length)
1377                 sr->sr_request_buf = kmem_alloc(req_length, KM_SLEEP);
1378         sr->sr_magic = SMB_REQ_MAGIC;
1379         sr->sr_state = SMB_REQ_STATE_INITIALIZING;
1380 
1381         /*
1382          * Only allow new SMB requests in some states.
1383          */
1384         smb_rwx_rwenter(&session->s_lock, RW_WRITER);
1385         switch (session->s_state) {
1386         case SMB_SESSION_STATE_CONNECTED:
1387         case SMB_SESSION_STATE_INITIALIZED:
1388         case SMB_SESSION_STATE_ESTABLISHED:
1389         case SMB_SESSION_STATE_NEGOTIATED:
1390                 smb_slist_insert_tail(&session->s_req_list, sr);
1391                 break;
1392 
1393         default:
1394                 ASSERT(0);
1395                 /* FALLTHROUGH */
1396         case SMB_SESSION_STATE_DISCONNECTED:
1397         case SMB_SESSION_STATE_SHUTDOWN:
1398         case SMB_SESSION_STATE_TERMINATED:
1399                 /* Disallow new requests in these states. */
1400                 if (sr->sr_request_buf)
1401                         kmem_free(sr->sr_request_buf, sr->sr_req_length);
1402                 sr->session = NULL;
1403                 sr->sr_magic = 0;
1404                 mutex_destroy(&sr->sr_mutex);
1405                 kmem_cache_free(smb_cache_request, sr);
1406                 sr = NULL;
1407                 break;
1408         }
1409         smb_rwx_rwexit(&session->s_lock);
1410 
1411         return (sr);
1412 }
1413 
1414 /*
1415  * smb_request_free
1416  *
1417  * release the memories which have been allocated for a smb request.
1418  */
1419 void
1420 smb_request_free(smb_request_t *sr)
1421 {
1422         ASSERT(sr->sr_magic == SMB_REQ_MAGIC);
1423         ASSERT(sr->session);
1424         ASSERT(sr->r_xa == NULL);
1425 
1426         if (sr->fid_ofile != NULL) {
1427                 smb_ofile_release(sr->fid_ofile);
1428         }
1429 
1430         if (sr->tid_tree != NULL)
1431                 smb_tree_release(sr->tid_tree);
1432 
1433         if (sr->uid_user != NULL)
1434                 smb_user_release(sr->uid_user);
1435 
1436         if (sr->tform_ssn != NULL)
1437                 smb_user_release(sr->tform_ssn);
1438 
1439         /*
1440          * The above may have left work on the delete queues
1441          */
1442         smb_llist_flush(&sr->session->s_tree_list);
1443         smb_llist_flush(&sr->session->s_user_list);
1444 
1445         smb_slist_remove(&sr->session->s_req_list, sr);
1446 
1447         sr->session = NULL;
1448 
1449         smb_srm_fini(sr);
1450 
1451         if (sr->sr_request_buf)
1452                 kmem_free(sr->sr_request_buf, sr->sr_req_length);
1453         if (sr->command.chain)
1454                 m_freem(sr->command.chain);
1455         if (sr->reply.chain)
1456                 m_freem(sr->reply.chain);
1457         if (sr->raw_data.chain)
1458                 m_freem(sr->raw_data.chain);
1459 
1460         sr->sr_magic = 0;
1461         mutex_destroy(&sr->sr_mutex);
1462         kmem_cache_free(smb_cache_request, sr);
1463 }
1464 
1465 boolean_t
1466 smb_session_oplocks_enable(smb_session_t *session)
1467 {
1468         SMB_SESSION_VALID(session);
1469         if (session->s_cfg.skc_oplock_enable == 0)
1470                 return (B_FALSE);
1471         else
1472                 return (B_TRUE);
1473 }
1474 
1475 boolean_t
1476 smb_session_levelII_oplocks(smb_session_t *session)
1477 {
1478         SMB_SESSION_VALID(session);
1479 
1480         /* Older clients only do Level II oplocks if negotiated. */
1481         if ((session->capabilities & CAP_LEVEL_II_OPLOCKS) != 0)
1482                 return (B_TRUE);
1483 
1484         return (B_FALSE);
1485 }
1486 
1487 static void
1488 smb_session_genkey(smb_session_t *session)
1489 {
1490         uint8_t         tmp_key[SMB_CHALLENGE_SZ];
1491 
1492         (void) random_get_pseudo_bytes(tmp_key, SMB_CHALLENGE_SZ);
1493         bcopy(tmp_key, &session->challenge_key, SMB_CHALLENGE_SZ);
1494         session->challenge_len = SMB_CHALLENGE_SZ;
1495 
1496         (void) random_get_pseudo_bytes(tmp_key, 4);
1497         session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
1498             tmp_key[2] << 16 | tmp_key[3] << 24;
1499 }