1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25 
  26 /*
  27  * Notes on the virtual circuit (VC) values in the SMB Negotiate
  28  * response and SessionSetupAndx request.
  29  *
  30  * A virtual circuit (VC) represents a connection between a client and a
  31  * server using a reliable, session oriented transport protocol, such as
  32  * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
  33  * single underlying transport connection, i.e. a single NetBIOS session,
  34  * which limited performance for raw data transfers.
  35  *
  36  * The intention behind multiple VCs was to improve performance by
  37  * allowing parallelism over each NetBIOS session. For example, raw data
  38  * could be transmitted using a different VC from other types of SMB
  39  * requests to remove the interleaving restriction while a raw transfer
  40  * is in progress. So the MaxNumberVcs field was added to the negotiate
  41  * response to make the number of VCs configurable and to allow servers
  42  * to specify how many they were prepared to support per session
  43  * connection. This turned out to be difficult to manage and, with
  44  * technology improvements, it has become obsolete.
  45  *
  46  * Servers should set the MaxNumberVcs value in the Negotiate response
  47  * to 1. Clients should probably ignore it. If a server receives a
  48  * SessionSetupAndx with a VC value of 0, it should close all other
  49  * VCs to that client. If it receives a non-zero VC, it should leave
  50  * other VCs in tact.
  51  *
  52  */
  53 
  54 /*
  55  * SMB: negotiate
  56  *
  57  * Client Request                Description
  58  * ============================  =======================================
  59  *
  60  * UCHAR WordCount;              Count of parameter words = 0
  61  * USHORT ByteCount;             Count of data bytes; min = 2
  62  * struct {
  63  *    UCHAR BufferFormat;        0x02 -- Dialect
  64  *    UCHAR DialectName[];       ASCII null-terminated string
  65  * } Dialects[];
  66  *
  67  * The Client sends a list of dialects that it can communicate with.  The
  68  * response is a selection of one of those dialects (numbered 0 through n)
  69  * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
  70  * The negotiate message is binding on the virtual circuit and must be
  71  * sent.  One and only one negotiate message may be sent, subsequent
  72  * negotiate requests will be rejected with an error response and no action
  73  * will be taken.
  74  *
  75  * The protocol does not impose any particular structure to the dialect
  76  * strings.  Implementors of particular protocols may choose to include,
  77  * for example, version numbers in the string.
  78  *
  79  * If the server does not understand any of the dialect strings, or if PC
  80  * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
  81  *
  82  * Server Response               Description
  83  * ============================  =======================================
  84  *
  85  * UCHAR WordCount;              Count of parameter words = 1
  86  * USHORT DialectIndex;          Index of selected dialect
  87  * USHORT ByteCount;             Count of data bytes = 0
  88  *
  89  * If the chosen dialect is greater than core up to and including
  90  * LANMAN2.1, the protocol response format is
  91  *
  92  * Server Response               Description
  93  * ============================  =======================================
  94  *
  95  * UCHAR WordCount;              Count of parameter words = 13
  96  * USHORT  DialectIndex;         Index of selected dialect
  97  * USHORT  SecurityMode;         Security mode:
  98  *                               bit 0: 0 = share, 1 = user
  99  *                               bit 1: 1 = use challenge/response
 100  *                               authentication
 101  * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
 102  * USHORT  MaxMpxCount;          Max pending multiplexed requests
 103  * USHORT  MaxNumberVcs;         Max VCs between client and server
 104  * USHORT  RawMode;              Raw modes supported:
 105  *                                bit 0: 1 = Read Raw supported
 106  *                                bit 1: 1 = Write Raw supported
 107  * ULONG SessionKey;             Unique token identifying this session
 108  * SMB_TIME ServerTime;          Current time at server
 109  * SMB_DATE ServerDate;          Current date at server
 110  * USHORT ServerTimeZone;        Current time zone at server
 111  * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
 112  * USHORT  Reserved;             MBZ
 113  * USHORT  ByteCount             Count of data bytes
 114  * UCHAR EncryptionKey[];        The challenge encryption key
 115  * STRING PrimaryDomain[];       The server's primary domain
 116  *
 117  * MaxBufferSize is the size of the largest message which the client can
 118  * legitimately send to the server
 119  *
 120  * If  bit0 of the Flags field is set in the negotiate response, this
 121  * indicates the server supports the SMB_COM_LOCK_AND_READ and
 122  * SMB_COM_WRITE_AND_UNLOCK client requests.
 123  *
 124  * If the SecurityMode field indicates the server is running in user mode,
 125  * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
 126  * before the server will allow the client to access resources.   If the
 127  * SecurityMode fields indicates the client should use challenge/response
 128  * authentication, the client should use the authentication mechanism
 129  * specified in section 2.10.
 130  *
 131  * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
 132  * to the server when using multiplexed reads or writes (see sections 5.13
 133  * and 5.25)
 134  *
 135  * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
 136  * form of raw reads than documented here, and servers are better off
 137  * setting RawMode in this response to 0 for such sessions.
 138  *
 139  * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
 140  * PrimaryDomain string should be included in this response.
 141  *
 142  * If the negotiated dialect is NT LM 0.12, the response format is
 143  *
 144  * Server Response            Description
 145  * ========================== =========================================
 146  *
 147  * UCHAR WordCount;           Count of parameter words = 17
 148  * USHORT DialectIndex;       Index of selected dialect
 149  * UCHAR SecurityMode;        Security mode:
 150  *                             bit 0: 0 = share, 1 = user
 151  *                             bit 1: 1 = encrypt passwords
 152  * USHORT MaxMpxCount;        Max pending multiplexed requests
 153  * USHORT MaxNumberVcs;       Max VCs between client and server
 154  * ULONG MaxBufferSize;       Max transmit buffer size
 155  * ULONG MaxRawSize;          Maximum raw buffer size
 156  * ULONG SessionKey;          Unique token identifying this session
 157  * ULONG Capabilities;        Server capabilities
 158  * ULONG SystemTimeLow;       System (UTC) time of the server (low).
 159  * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
 160  * USHORT ServerTimeZone;     Time zone of server (min from UTC)
 161  * UCHAR EncryptionKeyLength; Length of encryption key.
 162  * USHORT ByteCount;          Count of data bytes
 163  * UCHAR EncryptionKey[];     The challenge encryption key
 164  * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
 165  *
 166  * In addition to the definitions above, MaxBufferSize is the size of the
 167  * largest message which the client can legitimately send to the server.
 168  * If the client is using a connectionless protocol,  MaxBufferSize must be
 169  * set to the smaller of the server's internal buffer size and the amount
 170  * of data which can be placed in a response packet.
 171  *
 172  * MaxRawSize specifies the maximum message size the server can send or
 173  * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
 174  *
 175  * Connectionless clients must set Sid to 0 in the SMB request header.
 176  *
 177  * Capabilities allows the server to tell the client what it supports.
 178  * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
 179  * the negotiate response capabilities but it caused problems with
 180  * Windows 2000. It is probably not valid, it doesn't appear in the
 181  * CIFS spec.
 182  *
 183  * 4.1.1.1   Errors
 184  *
 185  * SUCCESS/SUCCESS
 186  * ERRSRV/ERRerror
 187  */
 188 #include <sys/types.h>
 189 #include <sys/socket.h>
 190 #include <netinet/in.h>
 191 #include <smbsrv/smb_kproto.h>
 192 #include <smbsrv/smbinfo.h>
 193 
 194 static const smb_xlate_t smb_dialect[] = {
 195         { DIALECT_UNKNOWN,              "DIALECT_UNKNOWN" },
 196         { PC_NETWORK_PROGRAM_1_0,       "PC NETWORK PROGRAM 1.0" },
 197         { PCLAN1_0,                     "PCLAN1.0" },
 198         { MICROSOFT_NETWORKS_1_03,      "MICROSOFT NETWORKS 1.03" },
 199         { MICROSOFT_NETWORKS_3_0,       "MICROSOFT NETWORKS 3.0" },
 200         { LANMAN1_0,                    "LANMAN1.0" },
 201         { LM1_2X002,                    "LM1.2X002" },
 202         { DOS_LM1_2X002,                "DOS LM1.2X002" },
 203         { DOS_LANMAN2_1,                "DOS LANMAN2.1" },
 204         { LANMAN2_1,                    "LANMAN2.1" },
 205         { Windows_for_Workgroups_3_1a,  "Windows for Workgroups 3.1a" },
 206         { NT_LM_0_12,                   "NT LM 0.12" },
 207         { DIALECT_SMB2002,              "SMB 2.002" },
 208         { DIALECT_SMB2XXX,              "SMB 2.???" },
 209 };
 210 static int smb_ndialects = sizeof (smb_dialect) / sizeof (smb_dialect[0]);
 211 
 212 /*
 213  * Maximum buffer size for DOS: chosen to be the same as NT.
 214  * Do not change this value, DOS is very sensitive to it.
 215  */
 216 #define SMB_DOS_MAXBUF                  0x1104
 217 
 218 /*
 219  * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
 220  * with other values. DOS 6.1 seems to depend on a window value of 8700 to
 221  * send the next set of data. If we return a window value of 40KB, after
 222  * sending 8700 bytes of data, it will start the next set of data from 40KB
 223  * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
 224  * September 2000.
 225  *
 226  * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
 227  * for a larger TCP window sizei based on observations of Windows 2000 and
 228  * performance testing. March 2003.
 229  */
 230 static uint32_t smb_dos_tcp_rcvbuf = 8700;
 231 static uint32_t smb_nt_tcp_rcvbuf = 1048560;    /* scale factor of 4 */
 232 
 233 /*
 234  * Maximum number of simultaneously pending SMB requests allowed on
 235  * one connection.  This is like "credits" in SMB2, but SMB1 uses a
 236  * fixed limit, having no way to request an increase like SMB2 does.
 237  * Note: Some older clients only handle the low byte of this value,
 238  * so this value should be less than 256.
 239  */
 240 static uint16_t smb_maxmpxcount = 64;
 241 
 242 static int smb_xlate_dialect(const char *);
 243 
 244 /*
 245  * "Capabilities" offered by SMB1 Negotiate Protocol.
 246  * See smb.h for descriptions.
 247  *
 248  * CAP_RAW_MODE, CAP_MPX_MODE are obsolete.
 249  * UNICODE support is required for long share names,
 250  * long file names and streams.
 251  *
 252  * For testing, one can patch this, i.e. remove the high bit to
 253  * temporarily disable extended security, etc.
 254  */
 255 uint32_t smb1srv_capabilities =
 256         CAP_UNICODE |
 257         CAP_LARGE_FILES |
 258         CAP_NT_SMBS |
 259         CAP_RPC_REMOTE_APIS |
 260         CAP_STATUS32 |
 261         CAP_LEVEL_II_OPLOCKS |
 262         CAP_LOCK_AND_READ |
 263         CAP_NT_FIND |
 264         CAP_DFS |
 265         CAP_INFOLEVEL_PASSTHRU |
 266         CAP_LARGE_READX |
 267         CAP_LARGE_WRITEX |
 268         CAP_EXTENDED_SECURITY;
 269 
 270 /*
 271  * SMB Negotiate gets special handling.  This is called directly by
 272  * the reader thread (see smbsr_newrq_initial) with what _should_ be
 273  * an SMB1 Negotiate.  Only the "\ffSMB" header has been checked
 274  * when this is called, so this needs to check the SMB command,
 275  * if it's Negotiate execute it, then send the reply, etc.
 276  *
 277  * Since this is called directly from the reader thread, we
 278  * know this is the only thread currently using this session.
 279  * This has to duplicate some of what smb1sr_work does as a
 280  * result of bypassing the normal dispatch mechanism.
 281  *
 282  * The caller always frees this request.
 283  */
 284 int
 285 smb1_newrq_negotiate(smb_request_t *sr)
 286 {
 287         smb_sdrc_t      sdrc;
 288         uint16_t        pid_hi, pid_lo;
 289 
 290         /*
 291          * Decode the header
 292          */
 293         if (smb_mbc_decodef(&sr->command, SMB_HEADER_ED_FMT,
 294             &sr->smb_com,
 295             &sr->smb_rcls,
 296             &sr->smb_reh,
 297             &sr->smb_err,
 298             &sr->smb_flg,
 299             &sr->smb_flg2,
 300             &pid_hi,
 301             sr->smb_sig,
 302             &sr->smb_tid,
 303             &pid_lo,
 304             &sr->smb_uid,
 305             &sr->smb_mid) != 0)
 306                 return (-1);
 307         if (sr->smb_com != SMB_COM_NEGOTIATE)
 308                 return (-1);
 309 
 310         sr->smb_pid = (pid_hi << 16) | pid_lo;
 311 
 312         /*
 313          * Reserve space for the reply header.
 314          */
 315         (void) smb_mbc_encodef(&sr->reply, "#.", SMB_HEADER_LEN);
 316         sr->first_smb_com = sr->smb_com;
 317 
 318         if (smb_mbc_decodef(&sr->command, "b", &sr->smb_wct) != 0)
 319                 return (-1);
 320         (void) MBC_SHADOW_CHAIN(&sr->smb_vwv, &sr->command,
 321             sr->command.chain_offset, sr->smb_wct * 2);
 322 
 323         if (smb_mbc_decodef(&sr->command, "#.w", sr->smb_wct*2, &sr->smb_bcc))
 324                 return (-1);
 325         (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
 326             sr->command.chain_offset, sr->smb_bcc);
 327 
 328         sr->command.chain_offset += sr->smb_bcc;
 329         if (sr->command.chain_offset > sr->command.max_bytes)
 330                 return (-1);
 331 
 332         /* Store pointers for later */
 333         sr->cur_reply_offset = sr->reply.chain_offset;
 334 
 335         sdrc = smb_pre_negotiate(sr);
 336         if (sdrc == SDRC_SUCCESS)
 337                 sdrc = smb_com_negotiate(sr);
 338         smb_post_negotiate(sr);
 339 
 340         if (sdrc != SDRC_NO_REPLY)
 341                 smbsr_send_reply(sr);
 342         if (sdrc == SDRC_DROP_VC)
 343                 return (-1);
 344 
 345         return (0);
 346 }
 347 
 348 smb_sdrc_t
 349 smb_pre_negotiate(smb_request_t *sr)
 350 {
 351         smb_kmod_cfg_t          *skc;
 352         smb_arg_negotiate_t     *negprot;
 353         int                     dialect;
 354         int                     pos;
 355         int                     rc = 0;
 356 
 357         skc = &sr->session->s_cfg;
 358         negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t));
 359         negprot->ni_index = -1;
 360         sr->sr_negprot = negprot;
 361 
 362         for (pos = 0; smbsr_decode_data_avail(sr); pos++) {
 363                 if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) {
 364                         smbsr_error(sr, 0, ERRSRV, ERRerror);
 365                         rc = -1;
 366                         break;
 367                 }
 368 
 369                 if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0)
 370                         continue;
 371 
 372                 /*
 373                  * Conditionally recognize the SMB2 dialects.
 374                  */
 375                 if (dialect >= DIALECT_SMB2002 &&
 376                     skc->skc_max_protocol < SMB_VERS_2_BASE)
 377                         continue;
 378 
 379                 if (negprot->ni_dialect < dialect) {
 380                         negprot->ni_dialect = dialect;
 381                         negprot->ni_index = pos;
 382                 }
 383         }
 384 
 385         DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr);
 386 
 387         return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
 388 }
 389 
 390 void
 391 smb_post_negotiate(smb_request_t *sr)
 392 {
 393         smb_arg_negotiate_t     *negprot = sr->sr_negprot;
 394 
 395         DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr);
 396 
 397         bzero(negprot, sizeof (smb_arg_negotiate_t));
 398 }
 399 
 400 smb_sdrc_t
 401 smb_com_negotiate(smb_request_t *sr)
 402 {
 403         smb_session_t           *session = sr->session;
 404         smb_arg_negotiate_t     *negprot = sr->sr_negprot;
 405         uint16_t                secmode;
 406         uint32_t                sesskey;
 407         char                    *nbdomain;
 408         uint8_t                 *wcbuf;
 409         int                     wclen;
 410         smb_msgbuf_t            mb;
 411         int                     rc;
 412 
 413         if (session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
 414                 /* The protocol has already been negotiated. */
 415                 smbsr_error(sr, 0, ERRSRV, ERRerror);
 416                 return (SDRC_ERROR);
 417         }
 418 
 419         /*
 420          * Special case for negotiating SMB2 from SMB1.  The client
 421          * includes the  "SMB 2..." dialects in the SMB1 negotiate,
 422          * and if SMB2 is enabled, we choose one of those and then
 423          * send an SMB2 reply to that SMB1 request.  Yes, it's very
 424          * strange, but this SMB1 request can have an SMB2 reply!
 425          * To accomplish this, we let the SMB2 code send the reply
 426          * and return the special code SDRC_NO_REPLY to the SMB1
 427          * dispatch logic so it will NOT send an SMB1 reply.
 428          * (Or possibly send an SMB1 error reply.)
 429          */
 430         if (negprot->ni_dialect >= DIALECT_SMB2002) {
 431                 rc = smb1_negotiate_smb2(sr);
 432                 ASSERT(rc == SDRC_NO_REPLY ||
 433                     rc == SDRC_DROP_VC || rc == SDRC_ERROR);
 434                 return (rc);
 435         }
 436 
 437         session->srv_secmode = NEGOTIATE_ENCRYPT_PASSWORDS |
 438             NEGOTIATE_USER_SECURITY;
 439         secmode = session->srv_secmode;
 440         sesskey = session->sesskey;
 441 
 442         negprot->ni_servertime.tv_sec = gethrestime_sec();
 443         negprot->ni_servertime.tv_nsec = 0;
 444         negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
 445         negprot->ni_maxmpxcount = smb_maxmpxcount;
 446         negprot->ni_keylen = SMB_CHALLENGE_SZ;
 447         bcopy(&session->challenge_key, negprot->ni_key, SMB_CHALLENGE_SZ);
 448         nbdomain = sr->sr_cfg->skc_nbdomain;
 449 
 450         negprot->ni_capabilities = smb1srv_capabilities;
 451 
 452         switch (negprot->ni_dialect) {
 453         case PC_NETWORK_PROGRAM_1_0:    /* core */
 454                 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
 455                     SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
 456                     sizeof (smb_dos_tcp_rcvbuf), CRED());
 457                 rc = smbsr_encode_result(sr, 1, 0, "bww", 1,
 458                     negprot->ni_index, 0);
 459                 break;
 460 
 461         case Windows_for_Workgroups_3_1a:
 462         case PCLAN1_0:
 463         case MICROSOFT_NETWORKS_1_03:
 464         case MICROSOFT_NETWORKS_3_0:
 465         case LANMAN1_0:
 466         case LM1_2X002:
 467         case DOS_LM1_2X002:
 468                 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
 469                     SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
 470                     sizeof (smb_dos_tcp_rcvbuf), CRED());
 471                 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
 472                 rc = smbsr_encode_result(sr, 13, VAR_BCC,
 473                     "bwwwwwwlYww2.w#c",
 474                     13,                         /* wct */
 475                     negprot->ni_index,               /* dialect index */
 476                     secmode,                    /* security mode */
 477                     SMB_DOS_MAXBUF,             /* max buffer size */
 478                     1,                          /* max MPX */
 479                     1,                          /* max VCs */
 480                     0,                          /* read/write raw */
 481                     sesskey,                    /* session key */
 482                     negprot->ni_servertime.tv_sec, /* server date/time */
 483                     negprot->ni_tzcorrection,
 484                     (uint16_t)negprot->ni_keylen, /* encryption key length */
 485                                                 /* reserved field handled 2. */
 486                     VAR_BCC,
 487                     (int)negprot->ni_keylen,
 488                     negprot->ni_key);                /* encryption key */
 489                 break;
 490 
 491         case DOS_LANMAN2_1:
 492         case LANMAN2_1:
 493                 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
 494                     SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
 495                     sizeof (smb_dos_tcp_rcvbuf), CRED());
 496                 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
 497                 rc = smbsr_encode_result(sr, 13, VAR_BCC,
 498                     "bwwwwwwlYww2.w#cs",
 499                     13,                         /* wct */
 500                     negprot->ni_index,               /* dialect index */
 501                     secmode,                    /* security mode */
 502                     SMB_DOS_MAXBUF,             /* max buffer size */
 503                     1,                          /* max MPX */
 504                     1,                          /* max VCs */
 505                     0,                          /* read/write raw */
 506                     sesskey,                    /* session key */
 507                     negprot->ni_servertime.tv_sec, /* server date/time */
 508                     negprot->ni_tzcorrection,
 509                     (uint16_t)negprot->ni_keylen, /* encryption key length */
 510                                                 /* reserved field handled 2. */
 511                     VAR_BCC,
 512                     (int)negprot->ni_keylen,
 513                     negprot->ni_key,         /* encryption key */
 514                     nbdomain);
 515                 break;
 516 
 517         case NT_LM_0_12:
 518                 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
 519                     SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
 520                     sizeof (smb_nt_tcp_rcvbuf), CRED());
 521 
 522                 /*
 523                  * Allow SMB signatures if using encrypted passwords
 524                  */
 525                 if ((secmode & NEGOTIATE_ENCRYPT_PASSWORDS) &&
 526                     sr->sr_cfg->skc_signing_enable) {
 527                         secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
 528                         if (sr->sr_cfg->skc_signing_required)
 529                                 secmode |=
 530                                     NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
 531 
 532                         session->srv_secmode = secmode;
 533                 }
 534 
 535                 /*
 536                  * Does the client want Extended Security?
 537                  * (and if we have it enabled)
 538                  * If so, handle as if a different dialect.
 539                  */
 540                 if ((sr->smb_flg2 & SMB_FLAGS2_EXT_SEC) != 0 &&
 541                     (negprot->ni_capabilities & CAP_EXTENDED_SECURITY) != 0)
 542                         goto NT_LM_0_12_ext_sec;
 543 
 544                 /* Else deny knowledge of extended security. */
 545                 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
 546                 negprot->ni_capabilities &= ~CAP_EXTENDED_SECURITY;
 547 
 548                 /*
 549                  * nbdomain is not expected to be aligned.
 550                  * Use temporary buffer to avoid alignment padding
 551                  */
 552                 wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t);
 553                 wcbuf = smb_srm_zalloc(sr, wclen);
 554                 smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE);
 555                 if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) {
 556                         smb_msgbuf_term(&mb);
 557                         smbsr_error(sr, 0, ERRSRV, ERRerror);
 558                         return (SDRC_ERROR);
 559                 }
 560 
 561                 rc = smbsr_encode_result(sr, 17, VAR_BCC,
 562                     "bwbwwllllTwbw#c#c",
 563                     17,                         /* wct */
 564                     negprot->ni_index,               /* dialect index */
 565                     secmode,                    /* security mode */
 566                     negprot->ni_maxmpxcount, /* max MPX */
 567                     1,                          /* max VCs */
 568                     (DWORD)smb_maxbufsize,      /* max buffer size */
 569                     0xFFFF,                     /* max raw size */
 570                     sesskey,                    /* session key */
 571                     negprot->ni_capabilities,
 572                     &negprot->ni_servertime,     /* system time */
 573                     negprot->ni_tzcorrection,
 574                     negprot->ni_keylen,              /* encryption key length */
 575                     VAR_BCC,
 576                     (int)negprot->ni_keylen,
 577                     negprot->ni_key,         /* encryption key */
 578                     wclen,
 579                     wcbuf);                     /* nbdomain (unicode) */
 580 
 581                 smb_msgbuf_term(&mb);
 582                 break;
 583 
 584 NT_LM_0_12_ext_sec:
 585                 /*
 586                  * This is the "Extended Security" variant of
 587                  * dialect NT_LM_0_12.
 588                  */
 589                 rc = smbsr_encode_result(sr, 17, VAR_BCC,
 590                     "bwbwwllllTwbw#c#c",
 591                     17,                         /* wct */
 592                     negprot->ni_index,               /* dialect index */
 593                     secmode,                    /* security mode */
 594                     negprot->ni_maxmpxcount, /* max MPX */
 595                     1,                          /* max VCs */
 596                     (DWORD)smb_maxbufsize,      /* max buffer size */
 597                     0xFFFF,                     /* max raw size */
 598                     sesskey,                    /* session key */
 599                     negprot->ni_capabilities,
 600                     &negprot->ni_servertime,     /* system time */
 601                     negprot->ni_tzcorrection,
 602                     0,          /* encryption key length (MBZ) */
 603                     VAR_BCC,
 604                     UUID_LEN,
 605                     sr->sr_cfg->skc_machine_uuid,
 606                     sr->sr_cfg->skc_negtok_len,
 607                     sr->sr_cfg->skc_negtok);
 608                 break;
 609 
 610 
 611         default:
 612                 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0);
 613                 break;
 614         }
 615 
 616         if (rc != 0)
 617                 return (SDRC_ERROR);
 618 
 619         /*
 620          * Save the agreed dialect. Note that the state is also
 621          * used to detect and reject attempts to re-negotiate.
 622          */
 623         session->dialect = negprot->ni_dialect;
 624         session->s_state = SMB_SESSION_STATE_NEGOTIATED;
 625 
 626         /* Allow normal SMB1 requests now. */
 627         session->newrq_func = smb1sr_newrq;
 628 
 629         return (SDRC_SUCCESS);
 630 }
 631 
 632 static int
 633 smb_xlate_dialect(const char *dialect)
 634 {
 635         const smb_xlate_t *dp;
 636         int             i;
 637 
 638         for (i = 0; i < smb_ndialects; ++i) {
 639                 dp = &smb_dialect[i];
 640 
 641                 if (strcmp(dp->str, dialect) == 0)
 642                         return (dp->code);
 643         }
 644 
 645         return (-1);
 646 }