1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
|
/*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
* Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Dispatch function for SMB2_NEGOTIATE
*/
#include <smbsrv/smb2_kproto.h>
#include <smbsrv/smb2.h>
static int smb2_negotiate_common(smb_request_t *, uint16_t);
uint32_t smb2srv_capabilities =
SMB2_CAP_DFS |
SMB2_CAP_LARGE_MTU;
/*
* These are not intended as customer tunables, but dev. & test folks
* might want to adjust them (with caution).
*
* smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
* with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
* This is also used as a "sanity limit" for internal send/reply message
* allocations. Note that with compounding SMB2 messages may contain
* multiple requests/responses. This size should be large enough for
* at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
*
* smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
* the client the largest read and write request size we'll support.
* One megabyte is a compromise between efficiency on fast networks
* and memory consumption (for the buffers) on the server side.
*
* smb2_max_trans is the largest "transact" send or receive, which is
* used for directory listings and info set/get operations.
*/
uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
uint32_t smb2_max_rwsize = (1<<20); /* 1MB */
uint32_t smb2_max_trans = (1<<16); /* 64KB */
/*
* With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
* (including all clients using dialect < SMB 2.1), use a "conservative" value
* for max r/w size because some older clients misbehave with larger values.
* 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
* Support) as the minimum so we'll use that.
*/
uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
/*
* List of all SMB2 versions we implement. Note that the
* highest version we support may be limited by the
* _cfg.skc_max_protocol setting.
*/
static uint16_t smb2_versions[] = {
0x202, /* SMB 2.002 */
0x210, /* SMB 2.1 */
};
static uint16_t smb2_nversions =
sizeof (smb2_versions) / sizeof (smb2_versions[0]);
static boolean_t
smb2_supported_version(smb_session_t *s, uint16_t version)
{
int i;
if (version > s->s_cfg.skc_max_protocol)
return (B_FALSE);
for (i = 0; i < smb2_nversions; i++)
if (version == smb2_versions[i])
return (B_TRUE);
return (B_FALSE);
}
/*
* Helper for the (SMB1) smb_com_negotiate(). This is the
* very unusual protocol interaction where an SMB1 negotiate
* gets an SMB2 negotiate response. This is the normal way
* clients first find out if the server supports SMB2.
*
* Note: This sends an SMB2 reply _itself_ and then returns
* SDRC_NO_REPLY so the caller will not send an SMB1 reply.
* Also, this is called directly from the reader thread, so
* we know this is the only thread using this session.
*
* The caller frees this request.
*/
smb_sdrc_t
smb1_negotiate_smb2(smb_request_t *sr)
{
smb_session_t *s = sr->session;
smb_arg_negotiate_t *negprot = sr->sr_negprot;
uint16_t smb2_version;
uint16_t secmode2;
int rc;
/*
* Note: In the SMB1 negotiate command handler, we
* agreed with one of the SMB2 dialects. If that
* dialect was "SMB 2.002", we'll respond here with
* version 0x202 and negotiation is done. If that
* dialect was "SMB 2.???", we'll respond here with
* the "wildcard" version 0x2FF, and the client will
* come back with an SMB2 negotiate.
*/
switch (negprot->ni_dialect) {
case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
smb2_version = 0x202;
s->dialect = smb2_version;
s->s_state = SMB_SESSION_STATE_NEGOTIATED;
/* Allow normal SMB2 requests now. */
s->newrq_func = smb2sr_newrq;
/*
* Translate SMB1 sec. mode to SMB2.
*/
secmode2 = 0;
if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)
secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED;
if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
s->secmode = secmode2;
break;
case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
/*
* Expecting an SMB2 negotiate next, so keep the
* initial s->newrq_func. Note that secmode is
* fiction good enough to pass the signing check
* in smb2_negotiate_common(). We'll check the
* real secmode when the 2nd negotiate comes.
*/
smb2_version = 0x2FF;
s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
break;
default:
return (SDRC_DROP_VC);
}
/*
* We did not decode an SMB2 header, so make sure
* the SMB2 header fields are initialized.
* (Most are zero from smb_request_alloc.)
* Also, the SMB1 common dispatch code reserved space
* for an SMB1 header, which we need to undo here.
*/
sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
sr->smb2_cmd_code = SMB2_NEGOTIATE;
rc = smb2_negotiate_common(sr, smb2_version);
if (rc != 0)
return (SDRC_DROP_VC);
return (SDRC_NO_REPLY);
}
/*
* SMB2 Negotiate gets special handling. This is called directly by
* the reader thread (see smbsr_newrq_initial) with what _should_ be
* an SMB2 Negotiate. Only the "\feSMB" header has been checked
* when this is called, so this needs to check the SMB command,
* if it's Negotiate execute it, then send the reply, etc.
*
* Since this is called directly from the reader thread, we
* know this is the only thread currently using this session.
* This has to duplicate some of what smb2sr_work does as a
* result of bypassing the normal dispatch mechanism.
*
* The caller always frees this request.
*/
int
smb2_newrq_negotiate(smb_request_t *sr)
{
smb_session_t *s = sr->session;
int i, rc;
uint16_t struct_size;
uint16_t best_version;
uint16_t version_cnt;
uint16_t cl_versions[8];
sr->smb2_cmd_hdr = sr->command.chain_offset;
rc = smb2_decode_header(sr);
if (rc != 0)
return (rc);
if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
(sr->smb2_next_command != 0))
return (SDRC_DROP_VC);
/*
* Decode SMB2 Negotiate (fixed-size part)
*/
rc = smb_mbc_decodef(
&sr->command, "www..l16.8.",
&struct_size, /* w */
&version_cnt, /* w */
&s->secmode, /* w */
/* reserved (..) */
&s->capabilities); /* l */
/* clnt_uuid 16. */
/* start_time 8. */
if (rc != 0)
return (rc);
if (struct_size != 36 || version_cnt > 8)
return (SDRC_DROP_VC);
/*
* Decode SMB2 Negotiate (variable part)
*/
rc = smb_mbc_decodef(&sr->command,
"#w", version_cnt, cl_versions);
if (rc != 0)
return (SDRC_DROP_VC);
/*
* The client offers an array of protocol versions it
* supports, which we have decoded into cl_versions[].
* We walk the array and pick the highest supported.
*/
best_version = 0;
for (i = 0; i < version_cnt; i++)
if (smb2_supported_version(s, cl_versions[i]) &&
best_version < cl_versions[i])
best_version = cl_versions[i];
if (best_version == 0)
return (SDRC_DROP_VC);
s->dialect = best_version;
/* Allow normal SMB2 requests now. */
s->s_state = SMB_SESSION_STATE_NEGOTIATED;
s->newrq_func = smb2sr_newrq;
rc = smb2_negotiate_common(sr, best_version);
if (rc != 0)
return (SDRC_DROP_VC);
return (0);
}
/*
* Common parts of SMB2 Negotiate, used for both the
* SMB1-to-SMB2 style, and straight SMB2 style.
* Do negotiation decisions, encode, send the reply.
*/
static int
smb2_negotiate_common(smb_request_t *sr, uint16_t version)
{
timestruc_t boot_tv, now_tv;
smb_session_t *s = sr->session;
int rc;
uint32_t max_rwsize;
uint16_t secmode;
sr->smb2_status = 0;
/*
* Negotiation itself. First the Security Mode.
* The caller stashed the client's secmode in s->secmode,
* which we validate, and then replace with the server's
* secmode, which is all we care about after this.
*/
secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
if (sr->sr_cfg->skc_signing_required) {
secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
/* Make sure client at least enables signing. */
if ((s->secmode & secmode) == 0) {
sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
}
}
s->secmode = secmode;
s->cmd_max_bytes = smb2_tcp_bufsize;
s->reply_max_bytes = smb2_tcp_bufsize;
/*
* "The number of credits held by the client MUST be considered
* as 1 when the connection is established." [MS-SMB2]
* We leave credits at 1 until the first successful
* session setup is completed.
*/
s->s_cur_credits = s->s_max_credits = 1;
sr->smb2_credit_response = 1;
boot_tv.tv_sec = smb_get_boottime();
boot_tv.tv_nsec = 0;
now_tv.tv_sec = gethrestime_sec();
now_tv.tv_nsec = 0;
/*
* SMB2 negotiate reply
*/
sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
(void) smb2_encode_header(sr, B_FALSE);
if (sr->smb2_status != 0) {
smb2sr_put_error(sr, sr->smb2_status);
smb2_send_reply(sr);
return (-1); /* will drop */
}
/*
* See notes above smb2_max_rwsize, smb2_old_rwsize
*/
if (s->capabilities & SMB2_CAP_LARGE_MTU)
max_rwsize = smb2_max_rwsize;
else
max_rwsize = smb2_old_rwsize;
rc = smb_mbc_encodef(
&sr->reply,
"wwww#cllllTTwwl#c",
65, /* StructSize */ /* w */
s->secmode, /* w */
version, /* w */
0, /* reserved */ /* w */
UUID_LEN, /* # */
&s->s_cfg.skc_machine_uuid, /* c */
smb2srv_capabilities, /* l */
smb2_max_trans, /* l */
max_rwsize, /* l */
max_rwsize, /* l */
&now_tv, /* T */
&boot_tv, /* T */
128, /* SecBufOff */ /* w */
sr->sr_cfg->skc_negtok_len, /* w */
0, /* reserved */ /* l */
sr->sr_cfg->skc_negtok_len, /* # */
sr->sr_cfg->skc_negtok); /* c */
smb2_send_reply(sr);
(void) ksocket_setsockopt(s->sock, SOL_SOCKET,
SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
sizeof (smb2_tcp_bufsize), CRED());
(void) ksocket_setsockopt(s->sock, SOL_SOCKET,
SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
sizeof (smb2_tcp_bufsize), CRED());
return (rc);
}
/*
* SMB2 Dispatch table handler, which will run if we see an
* SMB2_NEGOTIATE after the initial negotiation is done.
* That would be a protocol error.
*/
smb_sdrc_t
smb2_negotiate(smb_request_t *sr)
{
sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
return (SDRC_ERROR);
}
/*
* VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
*/
uint32_t
smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl)
{
smb_session_t *s = sr->session;
int rc;
/*
* The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
* and verify that the original negotiate was not modified.
* The only tampering we need worry about is secmode, and
* we're not taking that from the client, so don't bother.
*
* One interesting requirement here is that we MUST reply
* with exactly the same information as we returned in our
* original reply to the SMB2 negotiate on this session.
* If we don't the client closes the connection.
*/
rc = smb_mbc_encodef(
fsctl->out_mbc, "l#cww",
smb2srv_capabilities, /* l */
UUID_LEN, /* # */
&s->s_cfg.skc_machine_uuid, /* c */
s->secmode, /* w */
s->dialect); /* w */
if (rc)
return (NT_STATUS_INTERNAL_ERROR);
return (0);
}
|
