smb_negotiate.c revision 8348:4137e18bfaf0 
1251875Speter/*
2251875Speter * CDDL HEADER START
3251875Speter *
4251875Speter * The contents of this file are subject to the terms of the
5251875Speter * Common Development and Distribution License (the "License").
6251875Speter * You may not use this file except in compliance with the License.
7251875Speter *
8251875Speter * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9251875Speter * or http://www.opensolaris.org/os/licensing.
10251875Speter * See the License for the specific language governing permissions
11251875Speter * and limitations under the License.
12251875Speter *
13251875Speter * When distributing Covered Code, include this CDDL HEADER in each
14251875Speter * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15251875Speter * If applicable, add the following below this CDDL HEADER, with the
16251875Speter * fields enclosed by brackets "[]" replaced with your own identifying
17251875Speter * information: Portions Copyright [yyyy] [name of copyright owner]
18251875Speter *
19251875Speter * CDDL HEADER END
20251875Speter */
21251875Speter/*
22251875Speter * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23251875Speter * Use is subject to license terms.
24251875Speter */
25251875Speter
26251875Speter#pragma ident	"@(#)smb_negotiate.c	1.6	08/07/21 SMI"
27251875Speter
28251875Speter/*
29251875Speter * Notes on the virtual circuit (VC) values in the SMB Negotiate
30251875Speter * response and SessionSetupAndx request.
31251875Speter *
32251875Speter * A virtual circuit (VC) represents a connection between a client and a
33251875Speter * server using a reliable, session oriented transport protocol, such as
34251875Speter * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
35251875Speter * single underlying transport connection, i.e. a single NetBIOS session,
36251875Speter * which limited performance for raw data transfers.
37251875Speter *
38251875Speter * The intention behind multiple VCs was to improve performance by
39251875Speter * allowing parallelism over each NetBIOS session. For example, raw data
40251875Speter * could be transmitted using a different VC from other types of SMB
41251875Speter * requests to remove the interleaving restriction while a raw transfer
42251875Speter * is in progress. So the MaxNumberVcs field was added to the negotiate
43251875Speter * response to make the number of VCs configurable and to allow servers
44251875Speter * to specify how many they were prepared to support per session
45251875Speter * connection. This turned out to be difficult to manage and, with
46251875Speter * technology improvements, it has become obsolete.
47251875Speter *
48251875Speter * Servers should set the MaxNumberVcs value in the Negotiate response
49251875Speter * to 1. Clients should probably ignore it. If a server receives a
50251875Speter * SessionSetupAndx with a VC value of 0, it should close all other
51251875Speter * VCs to that client. If it receives a non-zero VC, it should leave
52251875Speter * other VCs in tact.
53251875Speter *
54251875Speter */
55251875Speter
56251875Speter/*
57251875Speter * SMB: negotiate
58251875Speter *
59251875Speter * Client Request                Description
60251875Speter * ============================  =======================================
61251875Speter *
62251875Speter * UCHAR WordCount;              Count of parameter words = 0
63251875Speter * USHORT ByteCount;             Count of data bytes; min = 2
64251875Speter * struct {
65 *    UCHAR BufferFormat;        0x02 -- Dialect
66 *    UCHAR DialectName[];       ASCII null-terminated string
67 * } Dialects[];
68 *
69 * The Client sends a list of dialects that it can communicate with.  The
70 * response is a selection of one of those dialects (numbered 0 through n)
71 * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
72 * The negotiate message is binding on the virtual circuit and must be
73 * sent.  One and only one negotiate message may be sent, subsequent
74 * negotiate requests will be rejected with an error response and no action
75 * will be taken.
76 *
77 * The protocol does not impose any particular structure to the dialect
78 * strings.  Implementors of particular protocols may choose to include,
79 * for example, version numbers in the string.
80 *
81 * If the server does not understand any of the dialect strings, or if PC
82 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
83 *
84 * Server Response               Description
85 * ============================  =======================================
86 *
87 * UCHAR WordCount;              Count of parameter words = 1
88 * USHORT DialectIndex;          Index of selected dialect
89 * USHORT ByteCount;             Count of data bytes = 0
90 *
91 * If the chosen dialect is greater than core up to and including
92 * LANMAN2.1, the protocol response format is
93 *
94 * Server Response               Description
95 * ============================  =======================================
96 *
97 * UCHAR WordCount;              Count of parameter words = 13
98 * USHORT  DialectIndex;         Index of selected dialect
99 * USHORT  SecurityMode;         Security mode:
100 *                               bit 0: 0 = share, 1 = user
101 *                               bit 1: 1 = use challenge/response
102 *                               authentication
103 * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
104 * USHORT  MaxMpxCount;          Max pending multiplexed requests
105 * USHORT  MaxNumberVcs;         Max VCs between client and server
106 * USHORT  RawMode;              Raw modes supported:
107 *                                bit 0: 1 = Read Raw supported
108 *                                bit 1: 1 = Write Raw supported
109 * ULONG SessionKey;             Unique token identifying this session
110 * SMB_TIME ServerTime;          Current time at server
111 * SMB_DATE ServerDate;          Current date at server
112 * USHORT ServerTimeZone;        Current time zone at server
113 * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
114 * USHORT  Reserved;             MBZ
115 * USHORT  ByteCount             Count of data bytes
116 * UCHAR EncryptionKey[];        The challenge encryption key
117 * STRING PrimaryDomain[];       The server's primary domain
118 *
119 * MaxBufferSize is the size of the largest message which the client can
120 * legitimately send to the server
121 *
122 * If  bit0 of the Flags field is set in the negotiate response, this
123 * indicates the server supports the SMB_COM_LOCK_AND_READ and
124 * SMB_COM_WRITE_AND_UNLOCK client requests.
125 *
126 * If the SecurityMode field indicates the server is running in user mode,
127 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
128 * before the server will allow the client to access resources.   If the
129 * SecurityMode fields indicates the client should use challenge/response
130 * authentication, the client should use the authentication mechanism
131 * specified in section 2.10.
132 *
133 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
134 * to the server when using multiplexed reads or writes (see sections 5.13
135 * and 5.25)
136 *
137 * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
138 * form of raw reads than documented here, and servers are better off
139 * setting RawMode in this response to 0 for such sessions.
140 *
141 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
142 * PrimaryDomain string should be included in this response.
143 *
144 * If the negotiated dialect is NT LM 0.12, the response format is
145 *
146 * Server Response            Description
147 * ========================== =========================================
148 *
149 * UCHAR WordCount;           Count of parameter words = 17
150 * USHORT DialectIndex;       Index of selected dialect
151 * UCHAR SecurityMode;        Security mode:
152 *                             bit 0: 0 = share, 1 = user
153 *                             bit 1: 1 = encrypt passwords
154 * USHORT MaxMpxCount;        Max pending multiplexed requests
155 * USHORT MaxNumberVcs;       Max VCs between client and server
156 * ULONG MaxBufferSize;       Max transmit buffer size
157 * ULONG MaxRawSize;          Maximum raw buffer size
158 * ULONG SessionKey;          Unique token identifying this session
159 * ULONG Capabilities;        Server capabilities
160 * ULONG SystemTimeLow;       System (UTC) time of the server (low).
161 * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
162 * USHORT ServerTimeZone;     Time zone of server (min from UTC)
163 * UCHAR EncryptionKeyLength; Length of encryption key.
164 * USHORT ByteCount;          Count of data bytes
165 * UCHAR EncryptionKey[];     The challenge encryption key
166 * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
167 *
168 * In addition to the definitions above, MaxBufferSize is the size of the
169 * largest message which the client can legitimately send to the server.
170 * If the client is using a connectionless protocol,  MaxBufferSize must be
171 * set to the smaller of the server's internal buffer size and the amount
172 * of data which can be placed in a response packet.
173 *
174 * MaxRawSize specifies the maximum message size the server can send or
175 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
176 *
177 * Connectionless clients must set Sid to 0 in the SMB request header.
178 *
179 * Capabilities allows the server to tell the client what it supports.
180 * The bit definitions defined in cifs.h. Bit 0x2000 used to be set in
181 * the negotiate response capabilities but it caused problems with
182 * Windows 2000. It is probably not valid, it doesn't appear in the
183 * CIFS spec.
184 *
185 * 4.1.1.1   Errors
186 *
187 * SUCCESS/SUCCESS
188 * ERRSRV/ERRerror
189 */
190#include <sys/types.h>
191#include <sys/strsubr.h>
192#include <sys/socketvar.h>
193#include <sys/socket.h>
194#include <sys/random.h>
195#include <netinet/in.h>
196#include <smbsrv/smb_incl.h>
197#include <smbsrv/smbinfo.h>
198#include <smbsrv/smb_i18n.h>
199
200
201/*
202 * Maximum buffer size for DOS: chosen to be the same as NT.
203 * Do not change this value, DOS is very sensitive to it.
204 */
205#define	SMB_DOS_MAXBUF			0x1104
206
207/*
208 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
209 * with other values. DOS 6.1 seems to depend on a window value of 8700 to
210 * send the next set of data. If we return a window value of 40KB, after
211 * sending 8700 bytes of data, it will start the next set of data from 40KB
212 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
213 * September 2000.
214 *
215 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
216 * for a larger TCP window sizei based on observations of Windows 2000 and
217 * performance testing. March 2003.
218 */
219static uint32_t	smb_dos_tcp_rcvbuf = 8700;
220static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
221
222static void smb_get_security_info(smb_request_t *, unsigned short *,
223    unsigned char *, unsigned char *, uint32_t *);
224
225/*
226 * Function: int smb_com_negotiate(struct smb_request *)
227 */
228smb_sdrc_t
229smb_pre_negotiate(smb_request_t *sr)
230{
231	DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr);
232	return (SDRC_SUCCESS);
233}
234
235void
236smb_post_negotiate(smb_request_t *sr)
237{
238	DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr);
239}
240
241smb_sdrc_t
242smb_com_negotiate(smb_request_t *sr)
243{
244	int			dialect = 0;
245	int			this_dialect;
246	unsigned char		keylen;
247	int			sel_pos = -1;
248	int			pos;
249	char 			key[32];
250	char			*p;
251	timestruc_t		time_val;
252	unsigned short		secmode;
253	uint32_t		sesskey;
254	uint32_t		capabilities = 0;
255	int			rc;
256	unsigned short		max_mpx_count;
257	int16_t			tz_correction;
258	char			ipaddr_buf[INET_ADDRSTRLEN];
259	char			*tmpbuf;
260	int			buflen;
261	smb_msgbuf_t		mb;
262
263	if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
264		/* The protocol has already been negotiated. */
265		smbsr_error(sr, 0, ERRSRV, ERRerror);
266		return (SDRC_ERROR);
267	}
268
269	for (pos = 0;
270	    sr->smb_data.chain_offset < sr->smb_data.max_bytes;
271	    pos++) {
272		if (smb_mbc_decodef(&sr->smb_data, "%L", sr, &p) != 0) {
273			smbsr_error(sr, 0, ERRSRV, ERRerror);
274			return (SDRC_ERROR);
275		}
276
277		this_dialect = smb_xlate_dialect_str_to_cd(p);
278
279		if (this_dialect < 0)
280			continue;
281
282		if (dialect < this_dialect) {
283			dialect = this_dialect;
284			sel_pos = pos;
285		}
286	}
287
288	smb_get_security_info(sr, &secmode, (unsigned char *)key,
289	    &keylen, &sesskey);
290
291	(void) microtime(&time_val);
292	tz_correction = sr->sr_gmtoff / 60;
293
294	switch (dialect) {
295	case PC_NETWORK_PROGRAM_1_0:	/* core */
296		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
297		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
298		    sizeof (smb_dos_tcp_rcvbuf), CRED());
299		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0);
300		break;
301
302	case Windows_for_Workgroups_3_1a:
303	case PCLAN1_0:
304	case MICROSOFT_NETWORKS_1_03:
305	case MICROSOFT_NETWORKS_3_0:
306	case LANMAN1_0:
307	case LM1_2X002:
308	case DOS_LM1_2X002:
309		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
310		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
311		    sizeof (smb_dos_tcp_rcvbuf), CRED());
312		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
313		rc = smbsr_encode_result(sr, 13, VAR_BCC,
314		    "bwwwwwwlYww2.w#c",
315		    13,		/* wct */
316		    sel_pos,	/* dialect index */
317		    secmode,		/* security mode */
318		    SMB_DOS_MAXBUF,	/* max buffer size */
319		    1,		/* max MPX (temporary) */
320		    1,		/* max VCs (temporary, ambiguous) */
321		    3,		/* raw mode (s/b 3) */
322		    sesskey,	/* session key */
323		    time_val.tv_sec, /* server time/date */
324		    tz_correction,
325		    (short)keylen,	/* Encryption Key Length */
326				/* reserved field handled 2. */
327		    VAR_BCC,
328		    (int)keylen,
329		    key);		/* encryption key */
330		break;
331
332	case DOS_LANMAN2_1:
333	case LANMAN2_1:
334		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
335		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
336		    sizeof (smb_dos_tcp_rcvbuf), CRED());
337		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
338		rc = smbsr_encode_result(sr, 13, VAR_BCC,
339		    "bwwwwwwlYww2.w#cs",
340		    13,		/* wct */
341		    sel_pos,	/* dialect index */
342		    secmode,		/* security mode */
343		    SMB_DOS_MAXBUF,	/* max buffer size */
344		    1,		/* max MPX (temporary) */
345		    1,		/* max VCs (temporary, ambiguous) */
346		    3,		/* raw mode (s/b 3) */
347		    sesskey,	/* session key */
348		    time_val.tv_sec, /* server time/date */
349		    tz_correction,
350		    (short)keylen,	/* Encryption Key Length */
351				/* reserved field handled 2. */
352		    VAR_BCC,
353		    (int)keylen,
354		    key,		/* encryption key */
355		    sr->sr_cfg->skc_nbdomain);
356		break;
357
358	case NT_LM_0_12:
359		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
360		    SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
361		    sizeof (smb_nt_tcp_rcvbuf), CRED());
362		capabilities = CAP_LARGE_FILES
363		    | CAP_NT_SMBS
364		    | CAP_STATUS32
365		    | CAP_NT_FIND
366		    | CAP_RAW_MODE
367		    | CAP_LEVEL_II_OPLOCKS
368		    | CAP_LOCK_AND_READ
369		    | CAP_RPC_REMOTE_APIS
370		    | CAP_LARGE_READX;
371
372		/*
373		 * UNICODE support is required to enable support for long
374		 * share names and long file names and streams.
375		 */
376
377		capabilities |= CAP_UNICODE;
378
379
380		/*
381		 * Turn off Extended Security Negotiation
382		 */
383		sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
384
385		/*
386		 * Allow SMB signatures if security challenge response enabled
387		 */
388		if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
389		    sr->sr_cfg->skc_signing_enable) {
390			secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
391			if (sr->sr_cfg->skc_signing_required)
392				secmode |=
393				    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
394
395			sr->session->secmode = secmode;
396		}
397
398		(void) inet_ntop(AF_INET, (char *)&sr->session->ipaddr,
399		    ipaddr_buf, sizeof (ipaddr_buf));
400
401		max_mpx_count = sr->sr_cfg->skc_maxworkers;
402
403		/*
404		 * skc_nbdomain is not expected to be aligned.
405		 * Use temporary buffer to avoid alignment padding
406		 */
407		buflen = mts_wcequiv_strlen(sr->sr_cfg->skc_nbdomain) +
408		    sizeof (mts_wchar_t);
409		tmpbuf = kmem_zalloc(buflen, KM_SLEEP);
410		smb_msgbuf_init(&mb, (uint8_t *)tmpbuf, buflen,
411		    SMB_MSGBUF_UNICODE);
412		if (smb_msgbuf_encode(&mb, "U",
413		    sr->sr_cfg->skc_nbdomain) < 0) {
414			smb_msgbuf_term(&mb);
415			kmem_free(tmpbuf, buflen);
416			smbsr_error(sr, 0, ERRSRV, ERRerror);
417			return (SDRC_ERROR);
418		}
419
420		rc = smbsr_encode_result(sr, 17, VAR_BCC,
421		    "bwbwwllllTwbw#c#c",
422		    17,		/* wct */
423		    sel_pos,	/* dialect index */
424		    secmode,	/* security mode */
425		    max_mpx_count,		/* max MPX (temporary) */
426		    1,		/* max VCs (temporary, ambiguous) */
427		    (DWORD)smb_maxbufsize,	/* max buffer size */
428		    0xFFFF,	/* max raw size */
429		    sesskey,	/* session key */
430		    capabilities,
431		    &time_val,	/* system time */
432		    tz_correction,
433		    keylen,	/* Encryption Key Length */
434		    VAR_BCC,
435		    (int)keylen,
436		    key,	/* encryption key */
437		    buflen,
438		    tmpbuf);	/* skc_nbdomain */
439
440		smb_msgbuf_term(&mb);
441		kmem_free(tmpbuf, buflen);
442		break;
443
444	default:
445		sel_pos = -1;
446		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0);
447		return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
448	}
449
450	if (rc != 0)
451		return (SDRC_ERROR);
452
453	/*
454	 * Save the agreed dialect. Note that this value is also
455	 * used to detect and reject attempts to re-negotiate.
456	 */
457	sr->session->dialect = dialect;
458	sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
459	return (SDRC_SUCCESS);
460}
461
462static void
463smb_get_security_info(
464    struct smb_request *sr,
465    unsigned short *secmode,
466    unsigned char *key,
467    unsigned char *keylen,
468    uint32_t *sesskey)
469{
470	uchar_t tmp_key[8];
471
472	(void) random_get_pseudo_bytes(tmp_key, 8);
473	bcopy(tmp_key, &sr->session->challenge_key, 8);
474	sr->session->challenge_len = 8;
475	*keylen = 8;
476	bcopy(tmp_key, key, 8);
477
478	sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE|
479	    NEGOTIATE_SECURITY_USER_LEVEL;
480
481	(void) random_get_pseudo_bytes(tmp_key, 4);
482	sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
483	    tmp_key[2] << 16 | tmp_key[3] << 24;
484
485	*secmode = sr->session->secmode;
486	*sesskey = sr->session->sesskey;
487}
488