1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool is_server_using_iface(struct TCP_Server_Info * server,struct cifs_server_iface * iface)31 is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33 { 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53 } 54 is_ses_using_iface(struct cifs_ses * ses,struct cifs_server_iface * iface)55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56 { 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68 } 69 70 /* channel helper functions. assumed that chan_lock is held by caller. */ 71 72 int cifs_ses_get_chan_index(struct cifs_ses * ses,struct TCP_Server_Info * server)73 cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75 { 76 unsigned int i; 77 78 /* if the channel is waiting for termination */ 79 if (server && server->terminate) 80 return CIFS_INVAL_CHAN_INDEX; 81 82 for (i = 0; i < ses->chan_count; i++) { 83 if (ses->chans[i].server == server) 84 return i; 85 } 86 87 /* If we didn't find the channel, it is likely a bug */ 88 if (server) 89 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 90 server->conn_id); 91 return CIFS_INVAL_CHAN_INDEX; 92 } 93 94 void cifs_chan_set_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)95 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 96 struct TCP_Server_Info *server) 97 { 98 int chan_index = cifs_ses_get_chan_index(ses, server); 99 100 if (chan_index == CIFS_INVAL_CHAN_INDEX) 101 return; 102 103 ses->chans[chan_index].in_reconnect = true; 104 } 105 106 void cifs_chan_clear_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)107 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 108 struct TCP_Server_Info *server) 109 { 110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 111 112 if (chan_index == CIFS_INVAL_CHAN_INDEX) 113 return; 114 115 ses->chans[chan_index].in_reconnect = false; 116 } 117 118 bool cifs_chan_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)119 cifs_chan_in_reconnect(struct cifs_ses *ses, 120 struct TCP_Server_Info *server) 121 { 122 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 123 124 if (chan_index == CIFS_INVAL_CHAN_INDEX) 125 return true; /* err on the safer side */ 126 127 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 128 } 129 130 void cifs_chan_set_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)131 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 132 struct TCP_Server_Info *server) 133 { 134 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 135 136 if (chan_index == CIFS_INVAL_CHAN_INDEX) 137 return; 138 139 set_bit(chan_index, &ses->chans_need_reconnect); 140 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 141 chan_index, ses->chans_need_reconnect); 142 } 143 144 void cifs_chan_clear_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)145 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 146 struct TCP_Server_Info *server) 147 { 148 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 149 150 if (chan_index == CIFS_INVAL_CHAN_INDEX) 151 return; 152 153 clear_bit(chan_index, &ses->chans_need_reconnect); 154 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 155 chan_index, ses->chans_need_reconnect); 156 } 157 158 bool cifs_chan_needs_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)159 cifs_chan_needs_reconnect(struct cifs_ses *ses, 160 struct TCP_Server_Info *server) 161 { 162 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 163 164 if (chan_index == CIFS_INVAL_CHAN_INDEX) 165 return true; /* err on the safer side */ 166 167 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 168 } 169 170 bool cifs_chan_is_iface_active(struct cifs_ses * ses,struct TCP_Server_Info * server)171 cifs_chan_is_iface_active(struct cifs_ses *ses, 172 struct TCP_Server_Info *server) 173 { 174 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 175 176 if (chan_index == CIFS_INVAL_CHAN_INDEX) 177 return true; /* err on the safer side */ 178 179 return ses->chans[chan_index].iface && 180 ses->chans[chan_index].iface->is_active; 181 } 182 183 /* returns number of channels added */ cifs_try_adding_channels(struct cifs_ses * ses)184 int cifs_try_adding_channels(struct cifs_ses *ses) 185 { 186 struct TCP_Server_Info *server = ses->server; 187 int old_chan_count, new_chan_count; 188 int left; 189 int rc = 0; 190 int tries = 0; 191 size_t iface_weight = 0, iface_min_speed = 0; 192 struct cifs_server_iface *iface = NULL, *niface = NULL; 193 struct cifs_server_iface *last_iface = NULL; 194 195 spin_lock(&ses->chan_lock); 196 197 new_chan_count = old_chan_count = ses->chan_count; 198 left = ses->chan_max - ses->chan_count; 199 200 if (left <= 0) { 201 spin_unlock(&ses->chan_lock); 202 cifs_dbg(FYI, 203 "ses already at max_channels (%zu), nothing to open\n", 204 ses->chan_max); 205 return 0; 206 } 207 208 if (server->dialect < SMB30_PROT_ID) { 209 spin_unlock(&ses->chan_lock); 210 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 211 return 0; 212 } 213 214 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 215 spin_unlock(&ses->chan_lock); 216 cifs_server_dbg(VFS, "no multichannel support\n"); 217 return 0; 218 } 219 spin_unlock(&ses->chan_lock); 220 221 while (left > 0) { 222 223 tries++; 224 if (tries > 3*ses->chan_max) { 225 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 226 left); 227 break; 228 } 229 230 spin_lock(&ses->iface_lock); 231 if (!ses->iface_count) { 232 spin_unlock(&ses->iface_lock); 233 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", 234 ses->server->hostname); 235 break; 236 } 237 238 if (!iface) 239 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 240 iface_head); 241 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 242 iface_head); 243 iface_min_speed = last_iface->speed; 244 245 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 246 iface_head) { 247 /* do not mix rdma and non-rdma interfaces */ 248 if (iface->rdma_capable != ses->server->rdma) 249 continue; 250 251 /* skip ifaces that are unusable */ 252 if (!iface->is_active || 253 (is_ses_using_iface(ses, iface) && 254 !iface->rss_capable)) 255 continue; 256 257 /* check if we already allocated enough channels */ 258 iface_weight = iface->speed / iface_min_speed; 259 260 if (iface->weight_fulfilled >= iface_weight) 261 continue; 262 263 /* take ref before unlock */ 264 kref_get(&iface->refcount); 265 266 spin_unlock(&ses->iface_lock); 267 rc = cifs_ses_add_channel(ses, iface); 268 spin_lock(&ses->iface_lock); 269 270 if (rc) { 271 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 272 &iface->sockaddr, 273 rc); 274 kref_put(&iface->refcount, release_iface); 275 /* failure to add chan should increase weight */ 276 iface->weight_fulfilled++; 277 continue; 278 } 279 280 iface->num_channels++; 281 iface->weight_fulfilled++; 282 cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n", 283 &iface->sockaddr); 284 break; 285 } 286 287 /* reached end of list. reset weight_fulfilled and start over */ 288 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 289 list_for_each_entry(iface, &ses->iface_list, iface_head) 290 iface->weight_fulfilled = 0; 291 spin_unlock(&ses->iface_lock); 292 iface = NULL; 293 continue; 294 } 295 spin_unlock(&ses->iface_lock); 296 297 left--; 298 new_chan_count++; 299 } 300 301 return new_chan_count - old_chan_count; 302 } 303 304 /* 305 * called when multichannel is disabled by the server. 306 * this always gets called from smb2_reconnect 307 * and cannot get called in parallel threads. 308 */ 309 void cifs_disable_secondary_channels(struct cifs_ses * ses)310 cifs_disable_secondary_channels(struct cifs_ses *ses) 311 { 312 int i, chan_count; 313 struct TCP_Server_Info *server; 314 struct cifs_server_iface *iface; 315 316 spin_lock(&ses->chan_lock); 317 chan_count = ses->chan_count; 318 if (chan_count == 1) 319 goto done; 320 321 ses->chan_count = 1; 322 323 /* for all secondary channels reset the need reconnect bit */ 324 ses->chans_need_reconnect &= 1; 325 326 for (i = 1; i < chan_count; i++) { 327 iface = ses->chans[i].iface; 328 server = ses->chans[i].server; 329 330 /* 331 * remove these references first, since we need to unlock 332 * the chan_lock here, since iface_lock is a higher lock 333 */ 334 ses->chans[i].iface = NULL; 335 ses->chans[i].server = NULL; 336 spin_unlock(&ses->chan_lock); 337 338 if (iface) { 339 spin_lock(&ses->iface_lock); 340 iface->num_channels--; 341 if (iface->weight_fulfilled) 342 iface->weight_fulfilled--; 343 kref_put(&iface->refcount, release_iface); 344 spin_unlock(&ses->iface_lock); 345 } 346 347 if (server) { 348 if (!server->terminate) { 349 server->terminate = true; 350 cifs_signal_cifsd_for_reconnect(server, false); 351 } 352 cifs_put_tcp_session(server, false); 353 } 354 355 spin_lock(&ses->chan_lock); 356 } 357 358 done: 359 spin_unlock(&ses->chan_lock); 360 } 361 362 /* 363 * update the iface for the channel if necessary. 364 * Must be called with chan_lock held. 365 */ 366 void cifs_chan_update_iface(struct cifs_ses * ses,struct TCP_Server_Info * server)367 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 368 { 369 unsigned int chan_index; 370 size_t iface_weight = 0, iface_min_speed = 0; 371 struct cifs_server_iface *iface = NULL; 372 struct cifs_server_iface *old_iface = NULL; 373 struct cifs_server_iface *last_iface = NULL; 374 struct sockaddr_storage ss; 375 376 spin_lock(&ses->chan_lock); 377 chan_index = cifs_ses_get_chan_index(ses, server); 378 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 379 spin_unlock(&ses->chan_lock); 380 return; 381 } 382 383 if (ses->chans[chan_index].iface) { 384 old_iface = ses->chans[chan_index].iface; 385 if (old_iface->is_active) { 386 spin_unlock(&ses->chan_lock); 387 return; 388 } 389 } 390 spin_unlock(&ses->chan_lock); 391 392 spin_lock(&server->srv_lock); 393 ss = server->dstaddr; 394 spin_unlock(&server->srv_lock); 395 396 spin_lock(&ses->iface_lock); 397 if (!ses->iface_count) { 398 spin_unlock(&ses->iface_lock); 399 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname); 400 return; 401 } 402 403 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 404 iface_head); 405 iface_min_speed = last_iface->speed; 406 407 /* then look for a new one */ 408 list_for_each_entry(iface, &ses->iface_list, iface_head) { 409 if (!chan_index) { 410 /* if we're trying to get the updated iface for primary channel */ 411 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 412 (struct sockaddr *) &iface->sockaddr)) 413 continue; 414 415 kref_get(&iface->refcount); 416 break; 417 } 418 419 /* do not mix rdma and non-rdma interfaces */ 420 if (iface->rdma_capable != server->rdma) 421 continue; 422 423 if (!iface->is_active || 424 (is_ses_using_iface(ses, iface) && 425 !iface->rss_capable)) { 426 continue; 427 } 428 429 /* check if we already allocated enough channels */ 430 iface_weight = iface->speed / iface_min_speed; 431 432 if (iface->weight_fulfilled >= iface_weight) 433 continue; 434 435 kref_get(&iface->refcount); 436 break; 437 } 438 439 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 440 iface = NULL; 441 cifs_dbg(FYI, "unable to find a suitable iface\n"); 442 } 443 444 if (!iface) { 445 if (!chan_index) 446 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 447 &ss); 448 else { 449 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n", 450 &old_iface->sockaddr); 451 } 452 453 spin_unlock(&ses->iface_lock); 454 return; 455 } 456 457 /* now drop the ref to the current iface */ 458 if (old_iface) { 459 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 460 &old_iface->sockaddr, 461 &iface->sockaddr); 462 463 old_iface->num_channels--; 464 if (old_iface->weight_fulfilled) 465 old_iface->weight_fulfilled--; 466 iface->num_channels++; 467 iface->weight_fulfilled++; 468 469 kref_put(&old_iface->refcount, release_iface); 470 } else if (!chan_index) { 471 /* special case: update interface for primary channel */ 472 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 473 &iface->sockaddr); 474 iface->num_channels++; 475 iface->weight_fulfilled++; 476 } 477 spin_unlock(&ses->iface_lock); 478 479 spin_lock(&ses->chan_lock); 480 chan_index = cifs_ses_get_chan_index(ses, server); 481 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 482 spin_unlock(&ses->chan_lock); 483 return; 484 } 485 486 ses->chans[chan_index].iface = iface; 487 spin_unlock(&ses->chan_lock); 488 } 489 490 /* 491 * If server is a channel of ses, return the corresponding enclosing 492 * cifs_chan otherwise return NULL. 493 */ 494 struct cifs_chan * cifs_ses_find_chan(struct cifs_ses * ses,struct TCP_Server_Info * server)495 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 496 { 497 int i; 498 499 spin_lock(&ses->chan_lock); 500 for (i = 0; i < ses->chan_count; i++) { 501 if (ses->chans[i].server == server) { 502 spin_unlock(&ses->chan_lock); 503 return &ses->chans[i]; 504 } 505 } 506 spin_unlock(&ses->chan_lock); 507 return NULL; 508 } 509 510 static int cifs_ses_add_channel(struct cifs_ses * ses,struct cifs_server_iface * iface)511 cifs_ses_add_channel(struct cifs_ses *ses, 512 struct cifs_server_iface *iface) 513 { 514 struct TCP_Server_Info *chan_server; 515 struct cifs_chan *chan; 516 struct smb3_fs_context *ctx; 517 static const char unc_fmt[] = "\\%s\\foo"; 518 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 519 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 520 size_t len; 521 int rc; 522 unsigned int xid = get_xid(); 523 524 if (iface->sockaddr.ss_family == AF_INET) 525 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 526 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 527 &ipv4->sin_addr); 528 else 529 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 530 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 531 &ipv6->sin6_addr); 532 533 /* 534 * Setup a ctx with mostly the same info as the existing 535 * session and overwrite it with the requested iface data. 536 * 537 * We need to setup at least the fields used for negprot and 538 * sesssetup. 539 * 540 * We only need the ctx here, so we can reuse memory from 541 * the session and server without caring about memory 542 * management. 543 */ 544 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 545 if (!ctx) { 546 rc = -ENOMEM; 547 goto out_free_xid; 548 } 549 550 /* Always make new connection for now (TODO?) */ 551 ctx->nosharesock = true; 552 553 /* Auth */ 554 ctx->domainauto = ses->domainAuto; 555 ctx->domainname = ses->domainName; 556 557 /* no hostname for extra channels */ 558 ctx->server_hostname = ""; 559 560 ctx->username = ses->user_name; 561 ctx->password = ses->password; 562 ctx->sectype = ses->sectype; 563 ctx->sign = ses->sign; 564 565 /* UNC and paths */ 566 /* XXX: Use ses->server->hostname? */ 567 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 568 ctx->UNC = kzalloc(len, GFP_KERNEL); 569 if (!ctx->UNC) { 570 rc = -ENOMEM; 571 goto out_free_ctx; 572 } 573 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 574 ctx->prepath = ""; 575 576 /* Reuse same version as master connection */ 577 ctx->vals = ses->server->vals; 578 ctx->ops = ses->server->ops; 579 580 ctx->noblocksnd = ses->server->noblocksnd; 581 ctx->noautotune = ses->server->noautotune; 582 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 583 ctx->echo_interval = ses->server->echo_interval / HZ; 584 ctx->max_credits = ses->server->max_credits; 585 586 /* 587 * This will be used for encoding/decoding user/domain/pw 588 * during sess setup auth. 589 */ 590 ctx->local_nls = ses->local_nls; 591 592 /* Use RDMA if possible */ 593 ctx->rdma = iface->rdma_capable; 594 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 595 596 /* reuse master con client guid */ 597 memcpy(&ctx->client_guid, ses->server->client_guid, 598 sizeof(ctx->client_guid)); 599 ctx->use_client_guid = true; 600 601 chan_server = cifs_get_tcp_session(ctx, ses->server); 602 603 spin_lock(&ses->chan_lock); 604 chan = &ses->chans[ses->chan_count]; 605 chan->server = chan_server; 606 if (IS_ERR(chan->server)) { 607 rc = PTR_ERR(chan->server); 608 chan->server = NULL; 609 spin_unlock(&ses->chan_lock); 610 goto out; 611 } 612 chan->iface = iface; 613 ses->chan_count++; 614 atomic_set(&ses->chan_seq, 0); 615 616 /* Mark this channel as needing connect/setup */ 617 cifs_chan_set_need_reconnect(ses, chan->server); 618 619 spin_unlock(&ses->chan_lock); 620 621 mutex_lock(&ses->session_mutex); 622 /* 623 * We need to allocate the server crypto now as we will need 624 * to sign packets before we generate the channel signing key 625 * (we sign with the session key) 626 */ 627 rc = smb311_crypto_shash_allocate(chan->server); 628 if (rc) { 629 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 630 mutex_unlock(&ses->session_mutex); 631 goto out; 632 } 633 634 rc = cifs_negotiate_protocol(xid, ses, chan->server); 635 if (!rc) 636 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 637 638 mutex_unlock(&ses->session_mutex); 639 640 out: 641 if (rc && chan->server) { 642 cifs_put_tcp_session(chan->server, 0); 643 644 spin_lock(&ses->chan_lock); 645 646 /* we rely on all bits beyond chan_count to be clear */ 647 cifs_chan_clear_need_reconnect(ses, chan->server); 648 ses->chan_count--; 649 /* 650 * chan_count should never reach 0 as at least the primary 651 * channel is always allocated 652 */ 653 WARN_ON(ses->chan_count < 1); 654 spin_unlock(&ses->chan_lock); 655 } 656 657 kfree(ctx->UNC); 658 out_free_ctx: 659 kfree(ctx); 660 out_free_xid: 661 free_xid(xid); 662 return rc; 663 } 664 665 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY cifs_ssetup_hdr(struct cifs_ses * ses,struct TCP_Server_Info * server,SESSION_SETUP_ANDX * pSMB)666 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 667 struct TCP_Server_Info *server, 668 SESSION_SETUP_ANDX *pSMB) 669 { 670 __u32 capabilities = 0; 671 672 /* init fields common to all four types of SessSetup */ 673 /* Note that offsets for first seven fields in req struct are same */ 674 /* in CIFS Specs so does not matter which of 3 forms of struct */ 675 /* that we use in next few lines */ 676 /* Note that header is initialized to zero in header_assemble */ 677 pSMB->req.AndXCommand = 0xFF; 678 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 679 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 680 USHRT_MAX)); 681 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 682 pSMB->req.VcNumber = cpu_to_le16(1); 683 684 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 685 686 /* BB verify whether signing required on neg or just auth frame (and NTLM case) */ 687 688 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 689 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 690 691 if (server->sign) 692 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 693 694 if (ses->capabilities & CAP_UNICODE) { 695 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 696 capabilities |= CAP_UNICODE; 697 } 698 if (ses->capabilities & CAP_STATUS32) { 699 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 700 capabilities |= CAP_STATUS32; 701 } 702 if (ses->capabilities & CAP_DFS) { 703 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 704 capabilities |= CAP_DFS; 705 } 706 if (ses->capabilities & CAP_UNIX) 707 capabilities |= CAP_UNIX; 708 709 return capabilities; 710 } 711 712 static void unicode_oslm_strings(char ** pbcc_area,const struct nls_table * nls_cp)713 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 714 { 715 char *bcc_ptr = *pbcc_area; 716 int bytes_ret = 0; 717 718 /* Copy OS version */ 719 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 720 nls_cp); 721 bcc_ptr += 2 * bytes_ret; 722 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 723 32, nls_cp); 724 bcc_ptr += 2 * bytes_ret; 725 bcc_ptr += 2; /* trailing null */ 726 727 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 728 32, nls_cp); 729 bcc_ptr += 2 * bytes_ret; 730 bcc_ptr += 2; /* trailing null */ 731 732 *pbcc_area = bcc_ptr; 733 } 734 unicode_domain_string(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)735 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 736 const struct nls_table *nls_cp) 737 { 738 char *bcc_ptr = *pbcc_area; 739 int bytes_ret = 0; 740 741 /* copy domain */ 742 if (ses->domainName == NULL) { 743 /* 744 * Sending null domain better than using a bogus domain name (as 745 * we did briefly in 2.6.18) since server will use its default 746 */ 747 *bcc_ptr = 0; 748 *(bcc_ptr+1) = 0; 749 bytes_ret = 0; 750 } else 751 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 752 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 753 bcc_ptr += 2 * bytes_ret; 754 bcc_ptr += 2; /* account for null terminator */ 755 756 *pbcc_area = bcc_ptr; 757 } 758 unicode_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)759 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 760 const struct nls_table *nls_cp) 761 { 762 char *bcc_ptr = *pbcc_area; 763 int bytes_ret = 0; 764 765 /* BB FIXME add check that strings less than 335 or will need to send as arrays */ 766 767 /* copy user */ 768 if (ses->user_name == NULL) { 769 /* null user mount */ 770 *bcc_ptr = 0; 771 *(bcc_ptr+1) = 0; 772 } else { 773 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 774 CIFS_MAX_USERNAME_LEN, nls_cp); 775 } 776 bcc_ptr += 2 * bytes_ret; 777 bcc_ptr += 2; /* account for null termination */ 778 779 unicode_domain_string(&bcc_ptr, ses, nls_cp); 780 unicode_oslm_strings(&bcc_ptr, nls_cp); 781 782 *pbcc_area = bcc_ptr; 783 } 784 ascii_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)785 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 786 const struct nls_table *nls_cp) 787 { 788 char *bcc_ptr = *pbcc_area; 789 int len; 790 791 /* copy user */ 792 /* BB what about null user mounts - check that we do this BB */ 793 /* copy user */ 794 if (ses->user_name != NULL) { 795 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 796 if (WARN_ON_ONCE(len < 0)) 797 len = CIFS_MAX_USERNAME_LEN - 1; 798 bcc_ptr += len; 799 } 800 /* else null user mount */ 801 *bcc_ptr = 0; 802 bcc_ptr++; /* account for null termination */ 803 804 /* copy domain */ 805 if (ses->domainName != NULL) { 806 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 807 if (WARN_ON_ONCE(len < 0)) 808 len = CIFS_MAX_DOMAINNAME_LEN - 1; 809 bcc_ptr += len; 810 } /* else we send a null domain name so server will default to its own domain */ 811 *bcc_ptr = 0; 812 bcc_ptr++; 813 814 /* BB check for overflow here */ 815 816 strcpy(bcc_ptr, "Linux version "); 817 bcc_ptr += strlen("Linux version "); 818 strcpy(bcc_ptr, init_utsname()->release); 819 bcc_ptr += strlen(init_utsname()->release) + 1; 820 821 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 822 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 823 824 *pbcc_area = bcc_ptr; 825 } 826 827 static void decode_unicode_ssetup(char ** pbcc_area,int bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)828 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 829 const struct nls_table *nls_cp) 830 { 831 int len; 832 char *data = *pbcc_area; 833 834 cifs_dbg(FYI, "bleft %d\n", bleft); 835 836 kfree(ses->serverOS); 837 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 838 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 839 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 840 data += len; 841 bleft -= len; 842 if (bleft <= 0) 843 return; 844 845 kfree(ses->serverNOS); 846 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 847 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 848 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 849 data += len; 850 bleft -= len; 851 if (bleft <= 0) 852 return; 853 854 kfree(ses->serverDomain); 855 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 856 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 857 858 return; 859 } 860 decode_ascii_ssetup(char ** pbcc_area,__u16 bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)861 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 862 struct cifs_ses *ses, 863 const struct nls_table *nls_cp) 864 { 865 int len; 866 char *bcc_ptr = *pbcc_area; 867 868 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 869 870 len = strnlen(bcc_ptr, bleft); 871 if (len >= bleft) 872 return; 873 874 kfree(ses->serverOS); 875 876 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 877 if (ses->serverOS) { 878 memcpy(ses->serverOS, bcc_ptr, len); 879 ses->serverOS[len] = 0; 880 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 881 cifs_dbg(FYI, "OS/2 server\n"); 882 } 883 884 bcc_ptr += len + 1; 885 bleft -= len + 1; 886 887 len = strnlen(bcc_ptr, bleft); 888 if (len >= bleft) 889 return; 890 891 kfree(ses->serverNOS); 892 893 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 894 if (ses->serverNOS) { 895 memcpy(ses->serverNOS, bcc_ptr, len); 896 ses->serverNOS[len] = 0; 897 } 898 899 bcc_ptr += len + 1; 900 bleft -= len + 1; 901 902 len = strnlen(bcc_ptr, bleft); 903 if (len > bleft) 904 return; 905 906 /* 907 * No domain field in LANMAN case. Domain is 908 * returned by old servers in the SMB negprot response 909 * 910 * BB For newer servers which do not support Unicode, 911 * but thus do return domain here, we could add parsing 912 * for it later, but it is not very important 913 */ 914 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 915 } 916 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 917 decode_ntlmssp_challenge(char * bcc_ptr,int blob_len,struct cifs_ses * ses)918 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 919 struct cifs_ses *ses) 920 { 921 unsigned int tioffset; /* challenge message target info area */ 922 unsigned int tilen; /* challenge message target info area length */ 923 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 924 __u32 server_flags; 925 926 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 927 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 928 return -EINVAL; 929 } 930 931 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 932 cifs_dbg(VFS, "blob signature incorrect %s\n", 933 pblob->Signature); 934 return -EINVAL; 935 } 936 if (pblob->MessageType != NtLmChallenge) { 937 cifs_dbg(VFS, "Incorrect message type %d\n", 938 pblob->MessageType); 939 return -EINVAL; 940 } 941 942 server_flags = le32_to_cpu(pblob->NegotiateFlags); 943 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 944 ses->ntlmssp->client_flags, server_flags); 945 946 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 947 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 948 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 949 __func__); 950 return -EINVAL; 951 } 952 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 953 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 954 return -EINVAL; 955 } 956 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 957 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 958 __func__); 959 return -EOPNOTSUPP; 960 } 961 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 962 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 963 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 964 __func__); 965 966 ses->ntlmssp->server_flags = server_flags; 967 968 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 969 /* 970 * In particular we can examine sign flags 971 * 972 * BB spec says that if AvId field of MsvAvTimestamp is populated then 973 * we must set the MIC field of the AUTHENTICATE_MESSAGE 974 */ 975 976 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 977 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 978 if (tioffset > blob_len || tioffset + tilen > blob_len) { 979 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 980 tioffset, tilen); 981 return -EINVAL; 982 } 983 if (tilen) { 984 kfree_sensitive(ses->auth_key.response); 985 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 986 GFP_KERNEL); 987 if (!ses->auth_key.response) { 988 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 989 return -ENOMEM; 990 } 991 ses->auth_key.len = tilen; 992 } 993 994 return 0; 995 } 996 size_of_ntlmssp_blob(struct cifs_ses * ses,int base_size)997 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 998 { 999 int sz = base_size + ses->auth_key.len 1000 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 1001 1002 if (ses->domainName) 1003 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 1004 else 1005 sz += sizeof(__le16); 1006 1007 if (ses->user_name) 1008 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 1009 else 1010 sz += sizeof(__le16); 1011 1012 if (ses->workstation_name[0]) 1013 sz += sizeof(__le16) * strnlen(ses->workstation_name, 1014 ntlmssp_workstation_name_size(ses)); 1015 else 1016 sz += sizeof(__le16); 1017 1018 return sz; 1019 } 1020 cifs_security_buffer_from_str(SECURITY_BUFFER * pbuf,char * str_value,int str_length,unsigned char * pstart,unsigned char ** pcur,const struct nls_table * nls_cp)1021 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 1022 char *str_value, 1023 int str_length, 1024 unsigned char *pstart, 1025 unsigned char **pcur, 1026 const struct nls_table *nls_cp) 1027 { 1028 unsigned char *tmp = pstart; 1029 int len; 1030 1031 if (!pbuf) 1032 return; 1033 1034 if (!pcur) 1035 pcur = &tmp; 1036 1037 if (!str_value) { 1038 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1039 pbuf->Length = 0; 1040 pbuf->MaximumLength = 0; 1041 *pcur += sizeof(__le16); 1042 } else { 1043 len = cifs_strtoUTF16((__le16 *)*pcur, 1044 str_value, 1045 str_length, 1046 nls_cp); 1047 len *= sizeof(__le16); 1048 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1049 pbuf->Length = cpu_to_le16(len); 1050 pbuf->MaximumLength = cpu_to_le16(len); 1051 *pcur += len; 1052 } 1053 } 1054 1055 /* BB Move to ntlmssp.c eventually */ 1056 build_ntlmssp_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1057 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 1058 u16 *buflen, 1059 struct cifs_ses *ses, 1060 struct TCP_Server_Info *server, 1061 const struct nls_table *nls_cp) 1062 { 1063 int rc = 0; 1064 NEGOTIATE_MESSAGE *sec_blob; 1065 __u32 flags; 1066 unsigned char *tmp; 1067 int len; 1068 1069 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 1070 *pbuffer = kmalloc(len, GFP_KERNEL); 1071 if (!*pbuffer) { 1072 rc = -ENOMEM; 1073 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1074 *buflen = 0; 1075 goto setup_ntlm_neg_ret; 1076 } 1077 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 1078 1079 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 1080 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1081 sec_blob->MessageType = NtLmNegotiate; 1082 1083 /* BB is NTLMV2 session security format easier to use here? */ 1084 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1085 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1086 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1087 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1088 NTLMSSP_NEGOTIATE_SIGN; 1089 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1090 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1091 1092 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 1093 ses->ntlmssp->client_flags = flags; 1094 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1095 1096 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1097 cifs_security_buffer_from_str(&sec_blob->DomainName, 1098 NULL, 1099 CIFS_MAX_DOMAINNAME_LEN, 1100 *pbuffer, &tmp, 1101 nls_cp); 1102 1103 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1104 NULL, 1105 CIFS_MAX_WORKSTATION_LEN, 1106 *pbuffer, &tmp, 1107 nls_cp); 1108 1109 *buflen = tmp - *pbuffer; 1110 setup_ntlm_neg_ret: 1111 return rc; 1112 } 1113 1114 /* 1115 * Build ntlmssp blob with additional fields, such as version, 1116 * supported by modern servers. For safety limit to SMB3 or later 1117 * See notes in MS-NLMP Section 2.2.2.1 e.g. 1118 */ build_ntlmssp_smb3_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1119 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 1120 u16 *buflen, 1121 struct cifs_ses *ses, 1122 struct TCP_Server_Info *server, 1123 const struct nls_table *nls_cp) 1124 { 1125 int rc = 0; 1126 struct negotiate_message *sec_blob; 1127 __u32 flags; 1128 unsigned char *tmp; 1129 int len; 1130 1131 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 1132 *pbuffer = kmalloc(len, GFP_KERNEL); 1133 if (!*pbuffer) { 1134 rc = -ENOMEM; 1135 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1136 *buflen = 0; 1137 goto setup_ntlm_smb3_neg_ret; 1138 } 1139 sec_blob = (struct negotiate_message *)*pbuffer; 1140 1141 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 1142 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1143 sec_blob->MessageType = NtLmNegotiate; 1144 1145 /* BB is NTLMV2 session security format easier to use here? */ 1146 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1147 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1148 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1149 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1150 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 1151 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1152 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1153 1154 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1155 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1156 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1157 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1158 1159 tmp = *pbuffer + sizeof(struct negotiate_message); 1160 ses->ntlmssp->client_flags = flags; 1161 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1162 1163 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1164 cifs_security_buffer_from_str(&sec_blob->DomainName, 1165 NULL, 1166 CIFS_MAX_DOMAINNAME_LEN, 1167 *pbuffer, &tmp, 1168 nls_cp); 1169 1170 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1171 NULL, 1172 CIFS_MAX_WORKSTATION_LEN, 1173 *pbuffer, &tmp, 1174 nls_cp); 1175 1176 *buflen = tmp - *pbuffer; 1177 setup_ntlm_smb3_neg_ret: 1178 return rc; 1179 } 1180 1181 1182 /* See MS-NLMP 2.2.1.3 */ build_ntlmssp_auth_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1183 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1184 u16 *buflen, 1185 struct cifs_ses *ses, 1186 struct TCP_Server_Info *server, 1187 const struct nls_table *nls_cp) 1188 { 1189 int rc; 1190 AUTHENTICATE_MESSAGE *sec_blob; 1191 __u32 flags; 1192 unsigned char *tmp; 1193 int len; 1194 1195 rc = setup_ntlmv2_rsp(ses, nls_cp); 1196 if (rc) { 1197 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1198 *buflen = 0; 1199 goto setup_ntlmv2_ret; 1200 } 1201 1202 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1203 *pbuffer = kmalloc(len, GFP_KERNEL); 1204 if (!*pbuffer) { 1205 rc = -ENOMEM; 1206 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1207 *buflen = 0; 1208 goto setup_ntlmv2_ret; 1209 } 1210 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1211 1212 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1213 sec_blob->MessageType = NtLmAuthenticate; 1214 1215 /* send version information in ntlmssp authenticate also */ 1216 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1217 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION | 1218 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1219 1220 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1221 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1222 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1223 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1224 1225 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1226 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1227 1228 sec_blob->LmChallengeResponse.BufferOffset = 1229 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1230 sec_blob->LmChallengeResponse.Length = 0; 1231 sec_blob->LmChallengeResponse.MaximumLength = 0; 1232 1233 sec_blob->NtChallengeResponse.BufferOffset = 1234 cpu_to_le32(tmp - *pbuffer); 1235 if (ses->user_name != NULL) { 1236 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1237 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1238 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1239 1240 sec_blob->NtChallengeResponse.Length = 1241 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1242 sec_blob->NtChallengeResponse.MaximumLength = 1243 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1244 } else { 1245 /* 1246 * don't send an NT Response for anonymous access 1247 */ 1248 sec_blob->NtChallengeResponse.Length = 0; 1249 sec_blob->NtChallengeResponse.MaximumLength = 0; 1250 } 1251 1252 cifs_security_buffer_from_str(&sec_blob->DomainName, 1253 ses->domainName, 1254 CIFS_MAX_DOMAINNAME_LEN, 1255 *pbuffer, &tmp, 1256 nls_cp); 1257 1258 cifs_security_buffer_from_str(&sec_blob->UserName, 1259 ses->user_name, 1260 CIFS_MAX_USERNAME_LEN, 1261 *pbuffer, &tmp, 1262 nls_cp); 1263 1264 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1265 ses->workstation_name, 1266 ntlmssp_workstation_name_size(ses), 1267 *pbuffer, &tmp, 1268 nls_cp); 1269 1270 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1271 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1272 !calc_seckey(ses)) { 1273 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1274 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1275 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1276 sec_blob->SessionKey.MaximumLength = 1277 cpu_to_le16(CIFS_CPHTXT_SIZE); 1278 tmp += CIFS_CPHTXT_SIZE; 1279 } else { 1280 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1281 sec_blob->SessionKey.Length = 0; 1282 sec_blob->SessionKey.MaximumLength = 0; 1283 } 1284 1285 *buflen = tmp - *pbuffer; 1286 setup_ntlmv2_ret: 1287 return rc; 1288 } 1289 1290 enum securityEnum cifs_select_sectype(struct TCP_Server_Info * server,enum securityEnum requested)1291 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1292 { 1293 switch (server->negflavor) { 1294 case CIFS_NEGFLAVOR_EXTENDED: 1295 switch (requested) { 1296 case Kerberos: 1297 case RawNTLMSSP: 1298 case IAKerb: 1299 return requested; 1300 case Unspecified: 1301 if (server->sec_ntlmssp && 1302 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1303 return RawNTLMSSP; 1304 if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) && 1305 (global_secflags & CIFSSEC_MAY_KRB5)) 1306 return Kerberos; 1307 fallthrough; 1308 default: 1309 return Unspecified; 1310 } 1311 case CIFS_NEGFLAVOR_UNENCAP: 1312 switch (requested) { 1313 case NTLMv2: 1314 return requested; 1315 case Unspecified: 1316 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1317 return NTLMv2; 1318 break; 1319 default: 1320 break; 1321 } 1322 fallthrough; 1323 default: 1324 return Unspecified; 1325 } 1326 } 1327 1328 struct sess_data { 1329 unsigned int xid; 1330 struct cifs_ses *ses; 1331 struct TCP_Server_Info *server; 1332 struct nls_table *nls_cp; 1333 void (*func)(struct sess_data *); 1334 int result; 1335 1336 /* we will send the SMB in three pieces: 1337 * a fixed length beginning part, an optional 1338 * SPNEGO blob (which can be zero length), and a 1339 * last part which will include the strings 1340 * and rest of bcc area. This allows us to avoid 1341 * a large buffer 17K allocation 1342 */ 1343 int buf0_type; 1344 struct kvec iov[3]; 1345 }; 1346 1347 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1348 static int sess_alloc_buffer(struct sess_data * sess_data,int wct)1349 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1350 { 1351 int rc; 1352 struct cifs_ses *ses = sess_data->ses; 1353 struct smb_hdr *smb_buf; 1354 1355 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1356 (void **)&smb_buf); 1357 1358 if (rc) 1359 return rc; 1360 1361 sess_data->iov[0].iov_base = (char *)smb_buf; 1362 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1363 /* 1364 * This variable will be used to clear the buffer 1365 * allocated above in case of any error in the calling function. 1366 */ 1367 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1368 1369 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1370 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1371 if (!sess_data->iov[2].iov_base) { 1372 rc = -ENOMEM; 1373 goto out_free_smb_buf; 1374 } 1375 1376 return 0; 1377 1378 out_free_smb_buf: 1379 cifs_small_buf_release(smb_buf); 1380 sess_data->iov[0].iov_base = NULL; 1381 sess_data->iov[0].iov_len = 0; 1382 sess_data->buf0_type = CIFS_NO_BUFFER; 1383 return rc; 1384 } 1385 1386 static void sess_free_buffer(struct sess_data * sess_data)1387 sess_free_buffer(struct sess_data *sess_data) 1388 { 1389 struct kvec *iov = sess_data->iov; 1390 1391 /* 1392 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1393 * Note that iov[1] is already freed by caller. 1394 */ 1395 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1396 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1397 1398 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1399 sess_data->buf0_type = CIFS_NO_BUFFER; 1400 kfree_sensitive(iov[2].iov_base); 1401 } 1402 1403 static int sess_establish_session(struct sess_data * sess_data)1404 sess_establish_session(struct sess_data *sess_data) 1405 { 1406 struct cifs_ses *ses = sess_data->ses; 1407 struct TCP_Server_Info *server = sess_data->server; 1408 1409 cifs_server_lock(server); 1410 if (!server->session_estab) { 1411 if (server->sign) { 1412 server->session_key.response = 1413 kmemdup(ses->auth_key.response, 1414 ses->auth_key.len, GFP_KERNEL); 1415 if (!server->session_key.response) { 1416 cifs_server_unlock(server); 1417 return -ENOMEM; 1418 } 1419 server->session_key.len = 1420 ses->auth_key.len; 1421 } 1422 server->sequence_number = 0x2; 1423 server->session_estab = true; 1424 } 1425 cifs_server_unlock(server); 1426 1427 cifs_dbg(FYI, "CIFS session established successfully\n"); 1428 return 0; 1429 } 1430 1431 static int sess_sendreceive(struct sess_data * sess_data)1432 sess_sendreceive(struct sess_data *sess_data) 1433 { 1434 int rc; 1435 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1436 __u16 count; 1437 struct kvec rsp_iov = { NULL, 0 }; 1438 1439 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1440 be32_add_cpu(&smb_buf->smb_buf_length, count); 1441 put_bcc(count, smb_buf); 1442 1443 rc = SendReceive2(sess_data->xid, sess_data->ses, 1444 sess_data->iov, 3 /* num_iovecs */, 1445 &sess_data->buf0_type, 1446 CIFS_LOG_ERROR, &rsp_iov); 1447 cifs_small_buf_release(sess_data->iov[0].iov_base); 1448 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1449 1450 return rc; 1451 } 1452 1453 static void sess_auth_ntlmv2(struct sess_data * sess_data)1454 sess_auth_ntlmv2(struct sess_data *sess_data) 1455 { 1456 int rc = 0; 1457 struct smb_hdr *smb_buf; 1458 SESSION_SETUP_ANDX *pSMB; 1459 char *bcc_ptr; 1460 struct cifs_ses *ses = sess_data->ses; 1461 struct TCP_Server_Info *server = sess_data->server; 1462 __u32 capabilities; 1463 __u16 bytes_remaining; 1464 1465 /* old style NTLM sessionsetup */ 1466 /* wct = 13 */ 1467 rc = sess_alloc_buffer(sess_data, 13); 1468 if (rc) 1469 goto out; 1470 1471 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1472 bcc_ptr = sess_data->iov[2].iov_base; 1473 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1474 1475 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1476 1477 /* LM2 password would be here if we supported it */ 1478 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1479 1480 if (ses->user_name != NULL) { 1481 /* calculate nlmv2 response and session key */ 1482 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1483 if (rc) { 1484 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1485 goto out; 1486 } 1487 1488 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1489 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1490 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1491 1492 /* set case sensitive password length after tilen may get 1493 * assigned, tilen is 0 otherwise. 1494 */ 1495 pSMB->req_no_secext.CaseSensitivePasswordLength = 1496 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1497 } else { 1498 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1499 } 1500 1501 if (ses->capabilities & CAP_UNICODE) { 1502 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1503 *bcc_ptr = 0; 1504 bcc_ptr++; 1505 } 1506 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1507 } else { 1508 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1509 } 1510 1511 1512 sess_data->iov[2].iov_len = (long) bcc_ptr - 1513 (long) sess_data->iov[2].iov_base; 1514 1515 rc = sess_sendreceive(sess_data); 1516 if (rc) 1517 goto out; 1518 1519 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1520 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1521 1522 if (smb_buf->WordCount != 3) { 1523 rc = -EIO; 1524 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1525 goto out; 1526 } 1527 1528 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1529 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1530 1531 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1532 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1533 1534 bytes_remaining = get_bcc(smb_buf); 1535 bcc_ptr = pByteArea(smb_buf); 1536 1537 /* BB check if Unicode and decode strings */ 1538 if (bytes_remaining == 0) { 1539 /* no string area to decode, do nothing */ 1540 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1541 /* unicode string area must be word-aligned */ 1542 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1543 ++bcc_ptr; 1544 --bytes_remaining; 1545 } 1546 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1547 sess_data->nls_cp); 1548 } else { 1549 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1550 sess_data->nls_cp); 1551 } 1552 1553 rc = sess_establish_session(sess_data); 1554 out: 1555 sess_data->result = rc; 1556 sess_data->func = NULL; 1557 sess_free_buffer(sess_data); 1558 kfree_sensitive(ses->auth_key.response); 1559 ses->auth_key.response = NULL; 1560 } 1561 1562 #ifdef CONFIG_CIFS_UPCALL 1563 static void sess_auth_kerberos(struct sess_data * sess_data)1564 sess_auth_kerberos(struct sess_data *sess_data) 1565 { 1566 int rc = 0; 1567 struct smb_hdr *smb_buf; 1568 SESSION_SETUP_ANDX *pSMB; 1569 char *bcc_ptr; 1570 struct cifs_ses *ses = sess_data->ses; 1571 struct TCP_Server_Info *server = sess_data->server; 1572 __u32 capabilities; 1573 __u16 bytes_remaining; 1574 struct key *spnego_key = NULL; 1575 struct cifs_spnego_msg *msg; 1576 u16 blob_len; 1577 1578 /* extended security */ 1579 /* wct = 12 */ 1580 rc = sess_alloc_buffer(sess_data, 12); 1581 if (rc) 1582 goto out; 1583 1584 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1585 bcc_ptr = sess_data->iov[2].iov_base; 1586 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1587 1588 spnego_key = cifs_get_spnego_key(ses, server); 1589 if (IS_ERR(spnego_key)) { 1590 rc = PTR_ERR(spnego_key); 1591 spnego_key = NULL; 1592 goto out; 1593 } 1594 1595 msg = spnego_key->payload.data[0]; 1596 /* 1597 * check version field to make sure that cifs.upcall is 1598 * sending us a response in an expected form 1599 */ 1600 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1601 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1602 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1603 rc = -EKEYREJECTED; 1604 goto out_put_spnego_key; 1605 } 1606 1607 kfree_sensitive(ses->auth_key.response); 1608 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1609 GFP_KERNEL); 1610 if (!ses->auth_key.response) { 1611 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1612 msg->sesskey_len); 1613 rc = -ENOMEM; 1614 goto out_put_spnego_key; 1615 } 1616 ses->auth_key.len = msg->sesskey_len; 1617 1618 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1619 capabilities |= CAP_EXTENDED_SECURITY; 1620 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1621 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1622 sess_data->iov[1].iov_len = msg->secblob_len; 1623 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1624 1625 if (ses->capabilities & CAP_UNICODE) { 1626 /* unicode strings must be word aligned */ 1627 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1628 *bcc_ptr = 0; 1629 bcc_ptr++; 1630 } 1631 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1632 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1633 } else { 1634 /* BB: is this right? */ 1635 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1636 } 1637 1638 sess_data->iov[2].iov_len = (long) bcc_ptr - 1639 (long) sess_data->iov[2].iov_base; 1640 1641 rc = sess_sendreceive(sess_data); 1642 if (rc) 1643 goto out_put_spnego_key; 1644 1645 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1646 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1647 1648 if (smb_buf->WordCount != 4) { 1649 rc = -EIO; 1650 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1651 goto out_put_spnego_key; 1652 } 1653 1654 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1655 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1656 1657 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1658 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1659 1660 bytes_remaining = get_bcc(smb_buf); 1661 bcc_ptr = pByteArea(smb_buf); 1662 1663 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1664 if (blob_len > bytes_remaining) { 1665 cifs_dbg(VFS, "bad security blob length %d\n", 1666 blob_len); 1667 rc = -EINVAL; 1668 goto out_put_spnego_key; 1669 } 1670 bcc_ptr += blob_len; 1671 bytes_remaining -= blob_len; 1672 1673 /* BB check if Unicode and decode strings */ 1674 if (bytes_remaining == 0) { 1675 /* no string area to decode, do nothing */ 1676 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1677 /* unicode string area must be word-aligned */ 1678 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1679 ++bcc_ptr; 1680 --bytes_remaining; 1681 } 1682 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1683 sess_data->nls_cp); 1684 } else { 1685 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1686 sess_data->nls_cp); 1687 } 1688 1689 rc = sess_establish_session(sess_data); 1690 out_put_spnego_key: 1691 key_invalidate(spnego_key); 1692 key_put(spnego_key); 1693 out: 1694 sess_data->result = rc; 1695 sess_data->func = NULL; 1696 sess_free_buffer(sess_data); 1697 kfree_sensitive(ses->auth_key.response); 1698 ses->auth_key.response = NULL; 1699 } 1700 1701 #endif /* ! CONFIG_CIFS_UPCALL */ 1702 1703 /* 1704 * The required kvec buffers have to be allocated before calling this 1705 * function. 1706 */ 1707 static int _sess_auth_rawntlmssp_assemble_req(struct sess_data * sess_data)1708 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1709 { 1710 SESSION_SETUP_ANDX *pSMB; 1711 struct cifs_ses *ses = sess_data->ses; 1712 struct TCP_Server_Info *server = sess_data->server; 1713 __u32 capabilities; 1714 char *bcc_ptr; 1715 1716 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1717 1718 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1719 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1720 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1721 return -ENOSYS; 1722 } 1723 1724 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1725 capabilities |= CAP_EXTENDED_SECURITY; 1726 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1727 1728 bcc_ptr = sess_data->iov[2].iov_base; 1729 /* unicode strings must be word aligned */ 1730 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1731 *bcc_ptr = 0; 1732 bcc_ptr++; 1733 } 1734 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1735 1736 sess_data->iov[2].iov_len = (long) bcc_ptr - 1737 (long) sess_data->iov[2].iov_base; 1738 1739 return 0; 1740 } 1741 1742 static void 1743 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1744 1745 static void sess_auth_rawntlmssp_negotiate(struct sess_data * sess_data)1746 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1747 { 1748 int rc; 1749 struct smb_hdr *smb_buf; 1750 SESSION_SETUP_ANDX *pSMB; 1751 struct cifs_ses *ses = sess_data->ses; 1752 struct TCP_Server_Info *server = sess_data->server; 1753 __u16 bytes_remaining; 1754 char *bcc_ptr; 1755 unsigned char *ntlmsspblob = NULL; 1756 u16 blob_len; 1757 1758 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1759 1760 /* 1761 * if memory allocation is successful, caller of this function 1762 * frees it. 1763 */ 1764 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1765 if (!ses->ntlmssp) { 1766 rc = -ENOMEM; 1767 goto out; 1768 } 1769 ses->ntlmssp->sesskey_per_smbsess = false; 1770 1771 /* wct = 12 */ 1772 rc = sess_alloc_buffer(sess_data, 12); 1773 if (rc) 1774 goto out; 1775 1776 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1777 1778 /* Build security blob before we assemble the request */ 1779 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1780 &blob_len, ses, server, 1781 sess_data->nls_cp); 1782 if (rc) 1783 goto out_free_ntlmsspblob; 1784 1785 sess_data->iov[1].iov_len = blob_len; 1786 sess_data->iov[1].iov_base = ntlmsspblob; 1787 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1788 1789 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1790 if (rc) 1791 goto out_free_ntlmsspblob; 1792 1793 rc = sess_sendreceive(sess_data); 1794 1795 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1796 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1797 1798 /* If true, rc here is expected and not an error */ 1799 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1800 smb_buf->Status.CifsError == 1801 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1802 rc = 0; 1803 1804 if (rc) 1805 goto out_free_ntlmsspblob; 1806 1807 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1808 1809 if (smb_buf->WordCount != 4) { 1810 rc = -EIO; 1811 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1812 goto out_free_ntlmsspblob; 1813 } 1814 1815 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1816 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1817 1818 bytes_remaining = get_bcc(smb_buf); 1819 bcc_ptr = pByteArea(smb_buf); 1820 1821 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1822 if (blob_len > bytes_remaining) { 1823 cifs_dbg(VFS, "bad security blob length %d\n", 1824 blob_len); 1825 rc = -EINVAL; 1826 goto out_free_ntlmsspblob; 1827 } 1828 1829 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1830 1831 out_free_ntlmsspblob: 1832 kfree_sensitive(ntlmsspblob); 1833 out: 1834 sess_free_buffer(sess_data); 1835 1836 if (!rc) { 1837 sess_data->func = sess_auth_rawntlmssp_authenticate; 1838 return; 1839 } 1840 1841 /* Else error. Cleanup */ 1842 kfree_sensitive(ses->auth_key.response); 1843 ses->auth_key.response = NULL; 1844 kfree_sensitive(ses->ntlmssp); 1845 ses->ntlmssp = NULL; 1846 1847 sess_data->func = NULL; 1848 sess_data->result = rc; 1849 } 1850 1851 static void sess_auth_rawntlmssp_authenticate(struct sess_data * sess_data)1852 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1853 { 1854 int rc; 1855 struct smb_hdr *smb_buf; 1856 SESSION_SETUP_ANDX *pSMB; 1857 struct cifs_ses *ses = sess_data->ses; 1858 struct TCP_Server_Info *server = sess_data->server; 1859 __u16 bytes_remaining; 1860 char *bcc_ptr; 1861 unsigned char *ntlmsspblob = NULL; 1862 u16 blob_len; 1863 1864 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1865 1866 /* wct = 12 */ 1867 rc = sess_alloc_buffer(sess_data, 12); 1868 if (rc) 1869 goto out; 1870 1871 /* Build security blob before we assemble the request */ 1872 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1873 smb_buf = (struct smb_hdr *)pSMB; 1874 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1875 &blob_len, ses, server, 1876 sess_data->nls_cp); 1877 if (rc) 1878 goto out_free_ntlmsspblob; 1879 sess_data->iov[1].iov_len = blob_len; 1880 sess_data->iov[1].iov_base = ntlmsspblob; 1881 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1882 /* 1883 * Make sure that we tell the server that we are using 1884 * the uid that it just gave us back on the response 1885 * (challenge) 1886 */ 1887 smb_buf->Uid = ses->Suid; 1888 1889 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1890 if (rc) 1891 goto out_free_ntlmsspblob; 1892 1893 rc = sess_sendreceive(sess_data); 1894 if (rc) 1895 goto out_free_ntlmsspblob; 1896 1897 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1898 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1899 if (smb_buf->WordCount != 4) { 1900 rc = -EIO; 1901 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1902 goto out_free_ntlmsspblob; 1903 } 1904 1905 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1906 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1907 1908 if (ses->Suid != smb_buf->Uid) { 1909 ses->Suid = smb_buf->Uid; 1910 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1911 } 1912 1913 bytes_remaining = get_bcc(smb_buf); 1914 bcc_ptr = pByteArea(smb_buf); 1915 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1916 if (blob_len > bytes_remaining) { 1917 cifs_dbg(VFS, "bad security blob length %d\n", 1918 blob_len); 1919 rc = -EINVAL; 1920 goto out_free_ntlmsspblob; 1921 } 1922 bcc_ptr += blob_len; 1923 bytes_remaining -= blob_len; 1924 1925 1926 /* BB check if Unicode and decode strings */ 1927 if (bytes_remaining == 0) { 1928 /* no string area to decode, do nothing */ 1929 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1930 /* unicode string area must be word-aligned */ 1931 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1932 ++bcc_ptr; 1933 --bytes_remaining; 1934 } 1935 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1936 sess_data->nls_cp); 1937 } else { 1938 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1939 sess_data->nls_cp); 1940 } 1941 1942 out_free_ntlmsspblob: 1943 kfree_sensitive(ntlmsspblob); 1944 out: 1945 sess_free_buffer(sess_data); 1946 1947 if (!rc) 1948 rc = sess_establish_session(sess_data); 1949 1950 /* Cleanup */ 1951 kfree_sensitive(ses->auth_key.response); 1952 ses->auth_key.response = NULL; 1953 kfree_sensitive(ses->ntlmssp); 1954 ses->ntlmssp = NULL; 1955 1956 sess_data->func = NULL; 1957 sess_data->result = rc; 1958 } 1959 select_sec(struct sess_data * sess_data)1960 static int select_sec(struct sess_data *sess_data) 1961 { 1962 int type; 1963 struct cifs_ses *ses = sess_data->ses; 1964 struct TCP_Server_Info *server = sess_data->server; 1965 1966 type = cifs_select_sectype(server, ses->sectype); 1967 cifs_dbg(FYI, "sess setup type %d\n", type); 1968 if (type == Unspecified) { 1969 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1970 return -EINVAL; 1971 } 1972 1973 switch (type) { 1974 case NTLMv2: 1975 sess_data->func = sess_auth_ntlmv2; 1976 break; 1977 case Kerberos: 1978 #ifdef CONFIG_CIFS_UPCALL 1979 sess_data->func = sess_auth_kerberos; 1980 break; 1981 #else 1982 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1983 return -ENOSYS; 1984 #endif /* CONFIG_CIFS_UPCALL */ 1985 case RawNTLMSSP: 1986 sess_data->func = sess_auth_rawntlmssp_negotiate; 1987 break; 1988 default: 1989 cifs_dbg(VFS, "secType %d not supported!\n", type); 1990 return -ENOSYS; 1991 } 1992 1993 return 0; 1994 } 1995 CIFS_SessSetup(const unsigned int xid,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1996 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1997 struct TCP_Server_Info *server, 1998 const struct nls_table *nls_cp) 1999 { 2000 int rc = 0; 2001 struct sess_data *sess_data; 2002 2003 if (ses == NULL) { 2004 WARN(1, "%s: ses == NULL!", __func__); 2005 return -EINVAL; 2006 } 2007 2008 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 2009 if (!sess_data) 2010 return -ENOMEM; 2011 2012 sess_data->xid = xid; 2013 sess_data->ses = ses; 2014 sess_data->server = server; 2015 sess_data->buf0_type = CIFS_NO_BUFFER; 2016 sess_data->nls_cp = (struct nls_table *) nls_cp; 2017 2018 rc = select_sec(sess_data); 2019 if (rc) 2020 goto out; 2021 2022 while (sess_data->func) 2023 sess_data->func(sess_data); 2024 2025 /* Store result before we free sess_data */ 2026 rc = sess_data->result; 2027 2028 out: 2029 kfree_sensitive(sess_data); 2030 return rc; 2031 } 2032 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 2033