1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool 31 is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33 { 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53 } 54 55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56 { 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68 } 69 70 /* channel helper functions. assumed that chan_lock is held by caller. */ 71 72 int 73 cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75 { 76 unsigned int i; 77 78 /* if the channel is waiting for termination */ 79 if (server && server->terminate) 80 return CIFS_INVAL_CHAN_INDEX; 81 82 for (i = 0; i < ses->chan_count; i++) { 83 if (ses->chans[i].server == server) 84 return i; 85 } 86 87 /* If we didn't find the channel, it is likely a bug */ 88 if (server) 89 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 90 server->conn_id); 91 return CIFS_INVAL_CHAN_INDEX; 92 } 93 94 void 95 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 96 struct TCP_Server_Info *server) 97 { 98 int chan_index = cifs_ses_get_chan_index(ses, server); 99 100 if (chan_index == CIFS_INVAL_CHAN_INDEX) 101 return; 102 103 ses->chans[chan_index].in_reconnect = true; 104 } 105 106 void 107 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 108 struct TCP_Server_Info *server) 109 { 110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 111 if (chan_index == CIFS_INVAL_CHAN_INDEX) 112 return; 113 114 ses->chans[chan_index].in_reconnect = false; 115 } 116 117 bool 118 cifs_chan_in_reconnect(struct cifs_ses *ses, 119 struct TCP_Server_Info *server) 120 { 121 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 122 if (chan_index == CIFS_INVAL_CHAN_INDEX) 123 return true; /* err on the safer side */ 124 125 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 126 } 127 128 void 129 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 130 struct TCP_Server_Info *server) 131 { 132 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 133 if (chan_index == CIFS_INVAL_CHAN_INDEX) 134 return; 135 136 set_bit(chan_index, &ses->chans_need_reconnect); 137 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 138 chan_index, ses->chans_need_reconnect); 139 } 140 141 void 142 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 143 struct TCP_Server_Info *server) 144 { 145 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 146 if (chan_index == CIFS_INVAL_CHAN_INDEX) 147 return; 148 149 clear_bit(chan_index, &ses->chans_need_reconnect); 150 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 151 chan_index, ses->chans_need_reconnect); 152 } 153 154 bool 155 cifs_chan_needs_reconnect(struct cifs_ses *ses, 156 struct TCP_Server_Info *server) 157 { 158 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 159 if (chan_index == CIFS_INVAL_CHAN_INDEX) 160 return true; /* err on the safer side */ 161 162 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 163 } 164 165 bool 166 cifs_chan_is_iface_active(struct cifs_ses *ses, 167 struct TCP_Server_Info *server) 168 { 169 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 170 if (chan_index == CIFS_INVAL_CHAN_INDEX) 171 return true; /* err on the safer side */ 172 173 return ses->chans[chan_index].iface && 174 ses->chans[chan_index].iface->is_active; 175 } 176 177 /* returns number of channels added */ 178 int cifs_try_adding_channels(struct cifs_ses *ses) 179 { 180 struct TCP_Server_Info *server = ses->server; 181 int old_chan_count, new_chan_count; 182 int left; 183 int rc = 0; 184 int tries = 0; 185 size_t iface_weight = 0, iface_min_speed = 0; 186 struct cifs_server_iface *iface = NULL, *niface = NULL; 187 struct cifs_server_iface *last_iface = NULL; 188 189 spin_lock(&ses->chan_lock); 190 191 new_chan_count = old_chan_count = ses->chan_count; 192 left = ses->chan_max - ses->chan_count; 193 194 if (left <= 0) { 195 spin_unlock(&ses->chan_lock); 196 cifs_dbg(FYI, 197 "ses already at max_channels (%zu), nothing to open\n", 198 ses->chan_max); 199 return 0; 200 } 201 202 if (server->dialect < SMB30_PROT_ID) { 203 spin_unlock(&ses->chan_lock); 204 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 205 return 0; 206 } 207 208 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 209 spin_unlock(&ses->chan_lock); 210 cifs_server_dbg(VFS, "no multichannel support\n"); 211 return 0; 212 } 213 spin_unlock(&ses->chan_lock); 214 215 while (left > 0) { 216 217 tries++; 218 if (tries > 3*ses->chan_max) { 219 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 220 left); 221 break; 222 } 223 224 spin_lock(&ses->iface_lock); 225 if (!ses->iface_count) { 226 spin_unlock(&ses->iface_lock); 227 cifs_dbg(VFS, "server %s does not advertise interfaces\n", 228 ses->server->hostname); 229 break; 230 } 231 232 if (!iface) 233 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 234 iface_head); 235 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 236 iface_head); 237 iface_min_speed = last_iface->speed; 238 239 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 240 iface_head) { 241 /* do not mix rdma and non-rdma interfaces */ 242 if (iface->rdma_capable != ses->server->rdma) 243 continue; 244 245 /* skip ifaces that are unusable */ 246 if (!iface->is_active || 247 (is_ses_using_iface(ses, iface) && 248 !iface->rss_capable)) 249 continue; 250 251 /* check if we already allocated enough channels */ 252 iface_weight = iface->speed / iface_min_speed; 253 254 if (iface->weight_fulfilled >= iface_weight) 255 continue; 256 257 /* take ref before unlock */ 258 kref_get(&iface->refcount); 259 260 spin_unlock(&ses->iface_lock); 261 rc = cifs_ses_add_channel(ses, iface); 262 spin_lock(&ses->iface_lock); 263 264 if (rc) { 265 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 266 &iface->sockaddr, 267 rc); 268 kref_put(&iface->refcount, release_iface); 269 /* failure to add chan should increase weight */ 270 iface->weight_fulfilled++; 271 continue; 272 } 273 274 iface->num_channels++; 275 iface->weight_fulfilled++; 276 cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n", 277 &iface->sockaddr); 278 break; 279 } 280 281 /* reached end of list. reset weight_fulfilled and start over */ 282 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 283 list_for_each_entry(iface, &ses->iface_list, iface_head) 284 iface->weight_fulfilled = 0; 285 spin_unlock(&ses->iface_lock); 286 iface = NULL; 287 continue; 288 } 289 spin_unlock(&ses->iface_lock); 290 291 left--; 292 new_chan_count++; 293 } 294 295 return new_chan_count - old_chan_count; 296 } 297 298 /* 299 * called when multichannel is disabled by the server. 300 * this always gets called from smb2_reconnect 301 * and cannot get called in parallel threads. 302 */ 303 void 304 cifs_disable_secondary_channels(struct cifs_ses *ses) 305 { 306 int i, chan_count; 307 struct TCP_Server_Info *server; 308 struct cifs_server_iface *iface; 309 310 spin_lock(&ses->chan_lock); 311 chan_count = ses->chan_count; 312 if (chan_count == 1) 313 goto done; 314 315 ses->chan_count = 1; 316 317 /* for all secondary channels reset the need reconnect bit */ 318 ses->chans_need_reconnect &= 1; 319 320 for (i = 1; i < chan_count; i++) { 321 iface = ses->chans[i].iface; 322 server = ses->chans[i].server; 323 324 /* 325 * remove these references first, since we need to unlock 326 * the chan_lock here, since iface_lock is a higher lock 327 */ 328 ses->chans[i].iface = NULL; 329 ses->chans[i].server = NULL; 330 spin_unlock(&ses->chan_lock); 331 332 if (iface) { 333 spin_lock(&ses->iface_lock); 334 kref_put(&iface->refcount, release_iface); 335 iface->num_channels--; 336 if (iface->weight_fulfilled) 337 iface->weight_fulfilled--; 338 spin_unlock(&ses->iface_lock); 339 } 340 341 if (server) { 342 if (!server->terminate) { 343 server->terminate = true; 344 cifs_signal_cifsd_for_reconnect(server, false); 345 } 346 cifs_put_tcp_session(server, false); 347 } 348 349 spin_lock(&ses->chan_lock); 350 } 351 352 done: 353 spin_unlock(&ses->chan_lock); 354 } 355 356 /* 357 * update the iface for the channel if necessary. 358 * will return 0 when iface is updated, 1 if removed, 2 otherwise 359 * Must be called with chan_lock held. 360 */ 361 int 362 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 363 { 364 unsigned int chan_index; 365 size_t iface_weight = 0, iface_min_speed = 0; 366 struct cifs_server_iface *iface = NULL; 367 struct cifs_server_iface *old_iface = NULL; 368 struct cifs_server_iface *last_iface = NULL; 369 struct sockaddr_storage ss; 370 int rc = 0; 371 372 spin_lock(&ses->chan_lock); 373 chan_index = cifs_ses_get_chan_index(ses, server); 374 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 375 spin_unlock(&ses->chan_lock); 376 return 0; 377 } 378 379 if (ses->chans[chan_index].iface) { 380 old_iface = ses->chans[chan_index].iface; 381 if (old_iface->is_active) { 382 spin_unlock(&ses->chan_lock); 383 return 1; 384 } 385 } 386 spin_unlock(&ses->chan_lock); 387 388 spin_lock(&server->srv_lock); 389 ss = server->dstaddr; 390 spin_unlock(&server->srv_lock); 391 392 spin_lock(&ses->iface_lock); 393 if (!ses->iface_count) { 394 spin_unlock(&ses->iface_lock); 395 cifs_dbg(VFS, "server %s does not advertise interfaces\n", ses->server->hostname); 396 return 0; 397 } 398 399 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 400 iface_head); 401 iface_min_speed = last_iface->speed; 402 403 /* then look for a new one */ 404 list_for_each_entry(iface, &ses->iface_list, iface_head) { 405 if (!chan_index) { 406 /* if we're trying to get the updated iface for primary channel */ 407 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 408 (struct sockaddr *) &iface->sockaddr)) 409 continue; 410 411 kref_get(&iface->refcount); 412 break; 413 } 414 415 /* do not mix rdma and non-rdma interfaces */ 416 if (iface->rdma_capable != server->rdma) 417 continue; 418 419 if (!iface->is_active || 420 (is_ses_using_iface(ses, iface) && 421 !iface->rss_capable)) { 422 continue; 423 } 424 425 /* check if we already allocated enough channels */ 426 iface_weight = iface->speed / iface_min_speed; 427 428 if (iface->weight_fulfilled >= iface_weight) 429 continue; 430 431 kref_get(&iface->refcount); 432 break; 433 } 434 435 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 436 rc = 1; 437 iface = NULL; 438 cifs_dbg(FYI, "unable to find a suitable iface\n"); 439 } 440 441 if (!chan_index && !iface) { 442 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 443 &ss); 444 spin_unlock(&ses->iface_lock); 445 return 0; 446 } 447 448 /* now drop the ref to the current iface */ 449 if (old_iface && iface) { 450 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 451 &old_iface->sockaddr, 452 &iface->sockaddr); 453 454 old_iface->num_channels--; 455 if (old_iface->weight_fulfilled) 456 old_iface->weight_fulfilled--; 457 iface->num_channels++; 458 iface->weight_fulfilled++; 459 460 kref_put(&old_iface->refcount, release_iface); 461 } else if (old_iface) { 462 cifs_dbg(FYI, "releasing ref to iface: %pIS\n", 463 &old_iface->sockaddr); 464 465 old_iface->num_channels--; 466 if (old_iface->weight_fulfilled) 467 old_iface->weight_fulfilled--; 468 469 kref_put(&old_iface->refcount, release_iface); 470 } else if (!chan_index) { 471 /* special case: update interface for primary channel */ 472 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 473 &iface->sockaddr); 474 iface->num_channels++; 475 iface->weight_fulfilled++; 476 } else { 477 WARN_ON(!iface); 478 cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr); 479 } 480 spin_unlock(&ses->iface_lock); 481 482 spin_lock(&ses->chan_lock); 483 chan_index = cifs_ses_get_chan_index(ses, server); 484 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 485 spin_unlock(&ses->chan_lock); 486 return 0; 487 } 488 489 ses->chans[chan_index].iface = iface; 490 491 /* No iface is found. if secondary chan, drop connection */ 492 if (!iface && SERVER_IS_CHAN(server)) 493 ses->chans[chan_index].server = NULL; 494 495 spin_unlock(&ses->chan_lock); 496 497 if (!iface && SERVER_IS_CHAN(server)) 498 cifs_put_tcp_session(server, false); 499 500 return rc; 501 } 502 503 /* 504 * If server is a channel of ses, return the corresponding enclosing 505 * cifs_chan otherwise return NULL. 506 */ 507 struct cifs_chan * 508 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 509 { 510 int i; 511 512 spin_lock(&ses->chan_lock); 513 for (i = 0; i < ses->chan_count; i++) { 514 if (ses->chans[i].server == server) { 515 spin_unlock(&ses->chan_lock); 516 return &ses->chans[i]; 517 } 518 } 519 spin_unlock(&ses->chan_lock); 520 return NULL; 521 } 522 523 static int 524 cifs_ses_add_channel(struct cifs_ses *ses, 525 struct cifs_server_iface *iface) 526 { 527 struct TCP_Server_Info *chan_server; 528 struct cifs_chan *chan; 529 struct smb3_fs_context *ctx; 530 static const char unc_fmt[] = "\\%s\\foo"; 531 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 532 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 533 size_t len; 534 int rc; 535 unsigned int xid = get_xid(); 536 537 if (iface->sockaddr.ss_family == AF_INET) 538 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 539 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 540 &ipv4->sin_addr); 541 else 542 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 543 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 544 &ipv6->sin6_addr); 545 546 /* 547 * Setup a ctx with mostly the same info as the existing 548 * session and overwrite it with the requested iface data. 549 * 550 * We need to setup at least the fields used for negprot and 551 * sesssetup. 552 * 553 * We only need the ctx here, so we can reuse memory from 554 * the session and server without caring about memory 555 * management. 556 */ 557 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 558 if (!ctx) { 559 rc = -ENOMEM; 560 goto out_free_xid; 561 } 562 563 /* Always make new connection for now (TODO?) */ 564 ctx->nosharesock = true; 565 566 /* Auth */ 567 ctx->domainauto = ses->domainAuto; 568 ctx->domainname = ses->domainName; 569 570 /* no hostname for extra channels */ 571 ctx->server_hostname = ""; 572 573 ctx->username = ses->user_name; 574 ctx->password = ses->password; 575 ctx->sectype = ses->sectype; 576 ctx->sign = ses->sign; 577 578 /* UNC and paths */ 579 /* XXX: Use ses->server->hostname? */ 580 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 581 ctx->UNC = kzalloc(len, GFP_KERNEL); 582 if (!ctx->UNC) { 583 rc = -ENOMEM; 584 goto out_free_ctx; 585 } 586 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 587 ctx->prepath = ""; 588 589 /* Reuse same version as master connection */ 590 ctx->vals = ses->server->vals; 591 ctx->ops = ses->server->ops; 592 593 ctx->noblocksnd = ses->server->noblocksnd; 594 ctx->noautotune = ses->server->noautotune; 595 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 596 ctx->echo_interval = ses->server->echo_interval / HZ; 597 ctx->max_credits = ses->server->max_credits; 598 599 /* 600 * This will be used for encoding/decoding user/domain/pw 601 * during sess setup auth. 602 */ 603 ctx->local_nls = ses->local_nls; 604 605 /* Use RDMA if possible */ 606 ctx->rdma = iface->rdma_capable; 607 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 608 609 /* reuse master con client guid */ 610 memcpy(&ctx->client_guid, ses->server->client_guid, 611 sizeof(ctx->client_guid)); 612 ctx->use_client_guid = true; 613 614 chan_server = cifs_get_tcp_session(ctx, ses->server); 615 616 spin_lock(&ses->chan_lock); 617 chan = &ses->chans[ses->chan_count]; 618 chan->server = chan_server; 619 if (IS_ERR(chan->server)) { 620 rc = PTR_ERR(chan->server); 621 chan->server = NULL; 622 spin_unlock(&ses->chan_lock); 623 goto out; 624 } 625 chan->iface = iface; 626 ses->chan_count++; 627 atomic_set(&ses->chan_seq, 0); 628 629 /* Mark this channel as needing connect/setup */ 630 cifs_chan_set_need_reconnect(ses, chan->server); 631 632 spin_unlock(&ses->chan_lock); 633 634 mutex_lock(&ses->session_mutex); 635 /* 636 * We need to allocate the server crypto now as we will need 637 * to sign packets before we generate the channel signing key 638 * (we sign with the session key) 639 */ 640 rc = smb311_crypto_shash_allocate(chan->server); 641 if (rc) { 642 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 643 mutex_unlock(&ses->session_mutex); 644 goto out; 645 } 646 647 rc = cifs_negotiate_protocol(xid, ses, chan->server); 648 if (!rc) 649 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 650 651 mutex_unlock(&ses->session_mutex); 652 653 out: 654 if (rc && chan->server) { 655 cifs_put_tcp_session(chan->server, 0); 656 657 spin_lock(&ses->chan_lock); 658 659 /* we rely on all bits beyond chan_count to be clear */ 660 cifs_chan_clear_need_reconnect(ses, chan->server); 661 ses->chan_count--; 662 /* 663 * chan_count should never reach 0 as at least the primary 664 * channel is always allocated 665 */ 666 WARN_ON(ses->chan_count < 1); 667 spin_unlock(&ses->chan_lock); 668 } 669 670 kfree(ctx->UNC); 671 out_free_ctx: 672 kfree(ctx); 673 out_free_xid: 674 free_xid(xid); 675 return rc; 676 } 677 678 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 679 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 680 struct TCP_Server_Info *server, 681 SESSION_SETUP_ANDX *pSMB) 682 { 683 __u32 capabilities = 0; 684 685 /* init fields common to all four types of SessSetup */ 686 /* Note that offsets for first seven fields in req struct are same */ 687 /* in CIFS Specs so does not matter which of 3 forms of struct */ 688 /* that we use in next few lines */ 689 /* Note that header is initialized to zero in header_assemble */ 690 pSMB->req.AndXCommand = 0xFF; 691 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 692 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 693 USHRT_MAX)); 694 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 695 pSMB->req.VcNumber = cpu_to_le16(1); 696 697 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 698 699 /* BB verify whether signing required on neg or just on auth frame 700 (and NTLM case) */ 701 702 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 703 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 704 705 if (server->sign) 706 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 707 708 if (ses->capabilities & CAP_UNICODE) { 709 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 710 capabilities |= CAP_UNICODE; 711 } 712 if (ses->capabilities & CAP_STATUS32) { 713 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 714 capabilities |= CAP_STATUS32; 715 } 716 if (ses->capabilities & CAP_DFS) { 717 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 718 capabilities |= CAP_DFS; 719 } 720 if (ses->capabilities & CAP_UNIX) 721 capabilities |= CAP_UNIX; 722 723 return capabilities; 724 } 725 726 static void 727 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 728 { 729 char *bcc_ptr = *pbcc_area; 730 int bytes_ret = 0; 731 732 /* Copy OS version */ 733 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 734 nls_cp); 735 bcc_ptr += 2 * bytes_ret; 736 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 737 32, nls_cp); 738 bcc_ptr += 2 * bytes_ret; 739 bcc_ptr += 2; /* trailing null */ 740 741 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 742 32, nls_cp); 743 bcc_ptr += 2 * bytes_ret; 744 bcc_ptr += 2; /* trailing null */ 745 746 *pbcc_area = bcc_ptr; 747 } 748 749 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 750 const struct nls_table *nls_cp) 751 { 752 char *bcc_ptr = *pbcc_area; 753 int bytes_ret = 0; 754 755 /* copy domain */ 756 if (ses->domainName == NULL) { 757 /* Sending null domain better than using a bogus domain name (as 758 we did briefly in 2.6.18) since server will use its default */ 759 *bcc_ptr = 0; 760 *(bcc_ptr+1) = 0; 761 bytes_ret = 0; 762 } else 763 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 764 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 765 bcc_ptr += 2 * bytes_ret; 766 bcc_ptr += 2; /* account for null terminator */ 767 768 *pbcc_area = bcc_ptr; 769 } 770 771 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 772 const struct nls_table *nls_cp) 773 { 774 char *bcc_ptr = *pbcc_area; 775 int bytes_ret = 0; 776 777 /* BB FIXME add check that strings total less 778 than 335 or will need to send them as arrays */ 779 780 /* copy user */ 781 if (ses->user_name == NULL) { 782 /* null user mount */ 783 *bcc_ptr = 0; 784 *(bcc_ptr+1) = 0; 785 } else { 786 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 787 CIFS_MAX_USERNAME_LEN, nls_cp); 788 } 789 bcc_ptr += 2 * bytes_ret; 790 bcc_ptr += 2; /* account for null termination */ 791 792 unicode_domain_string(&bcc_ptr, ses, nls_cp); 793 unicode_oslm_strings(&bcc_ptr, nls_cp); 794 795 *pbcc_area = bcc_ptr; 796 } 797 798 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 799 const struct nls_table *nls_cp) 800 { 801 char *bcc_ptr = *pbcc_area; 802 int len; 803 804 /* copy user */ 805 /* BB what about null user mounts - check that we do this BB */ 806 /* copy user */ 807 if (ses->user_name != NULL) { 808 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 809 if (WARN_ON_ONCE(len < 0)) 810 len = CIFS_MAX_USERNAME_LEN - 1; 811 bcc_ptr += len; 812 } 813 /* else null user mount */ 814 *bcc_ptr = 0; 815 bcc_ptr++; /* account for null termination */ 816 817 /* copy domain */ 818 if (ses->domainName != NULL) { 819 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 820 if (WARN_ON_ONCE(len < 0)) 821 len = CIFS_MAX_DOMAINNAME_LEN - 1; 822 bcc_ptr += len; 823 } /* else we will send a null domain name 824 so the server will default to its own domain */ 825 *bcc_ptr = 0; 826 bcc_ptr++; 827 828 /* BB check for overflow here */ 829 830 strcpy(bcc_ptr, "Linux version "); 831 bcc_ptr += strlen("Linux version "); 832 strcpy(bcc_ptr, init_utsname()->release); 833 bcc_ptr += strlen(init_utsname()->release) + 1; 834 835 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 836 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 837 838 *pbcc_area = bcc_ptr; 839 } 840 841 static void 842 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 843 const struct nls_table *nls_cp) 844 { 845 int len; 846 char *data = *pbcc_area; 847 848 cifs_dbg(FYI, "bleft %d\n", bleft); 849 850 kfree(ses->serverOS); 851 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 852 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 853 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 854 data += len; 855 bleft -= len; 856 if (bleft <= 0) 857 return; 858 859 kfree(ses->serverNOS); 860 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 861 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 862 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 863 data += len; 864 bleft -= len; 865 if (bleft <= 0) 866 return; 867 868 kfree(ses->serverDomain); 869 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 870 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 871 872 return; 873 } 874 875 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 876 struct cifs_ses *ses, 877 const struct nls_table *nls_cp) 878 { 879 int len; 880 char *bcc_ptr = *pbcc_area; 881 882 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 883 884 len = strnlen(bcc_ptr, bleft); 885 if (len >= bleft) 886 return; 887 888 kfree(ses->serverOS); 889 890 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 891 if (ses->serverOS) { 892 memcpy(ses->serverOS, bcc_ptr, len); 893 ses->serverOS[len] = 0; 894 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 895 cifs_dbg(FYI, "OS/2 server\n"); 896 } 897 898 bcc_ptr += len + 1; 899 bleft -= len + 1; 900 901 len = strnlen(bcc_ptr, bleft); 902 if (len >= bleft) 903 return; 904 905 kfree(ses->serverNOS); 906 907 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 908 if (ses->serverNOS) { 909 memcpy(ses->serverNOS, bcc_ptr, len); 910 ses->serverNOS[len] = 0; 911 } 912 913 bcc_ptr += len + 1; 914 bleft -= len + 1; 915 916 len = strnlen(bcc_ptr, bleft); 917 if (len > bleft) 918 return; 919 920 /* No domain field in LANMAN case. Domain is 921 returned by old servers in the SMB negprot response */ 922 /* BB For newer servers which do not support Unicode, 923 but thus do return domain here we could add parsing 924 for it later, but it is not very important */ 925 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 926 } 927 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 928 929 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 930 struct cifs_ses *ses) 931 { 932 unsigned int tioffset; /* challenge message target info area */ 933 unsigned int tilen; /* challenge message target info area length */ 934 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 935 __u32 server_flags; 936 937 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 938 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 939 return -EINVAL; 940 } 941 942 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 943 cifs_dbg(VFS, "blob signature incorrect %s\n", 944 pblob->Signature); 945 return -EINVAL; 946 } 947 if (pblob->MessageType != NtLmChallenge) { 948 cifs_dbg(VFS, "Incorrect message type %d\n", 949 pblob->MessageType); 950 return -EINVAL; 951 } 952 953 server_flags = le32_to_cpu(pblob->NegotiateFlags); 954 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 955 ses->ntlmssp->client_flags, server_flags); 956 957 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 958 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 959 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 960 __func__); 961 return -EINVAL; 962 } 963 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 964 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 965 return -EINVAL; 966 } 967 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 968 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 969 __func__); 970 return -EOPNOTSUPP; 971 } 972 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 973 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 974 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 975 __func__); 976 977 ses->ntlmssp->server_flags = server_flags; 978 979 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 980 /* In particular we can examine sign flags */ 981 /* BB spec says that if AvId field of MsvAvTimestamp is populated then 982 we must set the MIC field of the AUTHENTICATE_MESSAGE */ 983 984 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 985 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 986 if (tioffset > blob_len || tioffset + tilen > blob_len) { 987 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 988 tioffset, tilen); 989 return -EINVAL; 990 } 991 if (tilen) { 992 kfree_sensitive(ses->auth_key.response); 993 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 994 GFP_KERNEL); 995 if (!ses->auth_key.response) { 996 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 997 return -ENOMEM; 998 } 999 ses->auth_key.len = tilen; 1000 } 1001 1002 return 0; 1003 } 1004 1005 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 1006 { 1007 int sz = base_size + ses->auth_key.len 1008 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 1009 1010 if (ses->domainName) 1011 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 1012 else 1013 sz += sizeof(__le16); 1014 1015 if (ses->user_name) 1016 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 1017 else 1018 sz += sizeof(__le16); 1019 1020 if (ses->workstation_name[0]) 1021 sz += sizeof(__le16) * strnlen(ses->workstation_name, 1022 ntlmssp_workstation_name_size(ses)); 1023 else 1024 sz += sizeof(__le16); 1025 1026 return sz; 1027 } 1028 1029 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 1030 char *str_value, 1031 int str_length, 1032 unsigned char *pstart, 1033 unsigned char **pcur, 1034 const struct nls_table *nls_cp) 1035 { 1036 unsigned char *tmp = pstart; 1037 int len; 1038 1039 if (!pbuf) 1040 return; 1041 1042 if (!pcur) 1043 pcur = &tmp; 1044 1045 if (!str_value) { 1046 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1047 pbuf->Length = 0; 1048 pbuf->MaximumLength = 0; 1049 *pcur += sizeof(__le16); 1050 } else { 1051 len = cifs_strtoUTF16((__le16 *)*pcur, 1052 str_value, 1053 str_length, 1054 nls_cp); 1055 len *= sizeof(__le16); 1056 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1057 pbuf->Length = cpu_to_le16(len); 1058 pbuf->MaximumLength = cpu_to_le16(len); 1059 *pcur += len; 1060 } 1061 } 1062 1063 /* BB Move to ntlmssp.c eventually */ 1064 1065 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 1066 u16 *buflen, 1067 struct cifs_ses *ses, 1068 struct TCP_Server_Info *server, 1069 const struct nls_table *nls_cp) 1070 { 1071 int rc = 0; 1072 NEGOTIATE_MESSAGE *sec_blob; 1073 __u32 flags; 1074 unsigned char *tmp; 1075 int len; 1076 1077 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 1078 *pbuffer = kmalloc(len, GFP_KERNEL); 1079 if (!*pbuffer) { 1080 rc = -ENOMEM; 1081 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1082 *buflen = 0; 1083 goto setup_ntlm_neg_ret; 1084 } 1085 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 1086 1087 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 1088 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1089 sec_blob->MessageType = NtLmNegotiate; 1090 1091 /* BB is NTLMV2 session security format easier to use here? */ 1092 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1093 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1094 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1095 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1096 NTLMSSP_NEGOTIATE_SIGN; 1097 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1098 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1099 1100 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 1101 ses->ntlmssp->client_flags = flags; 1102 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1103 1104 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1105 cifs_security_buffer_from_str(&sec_blob->DomainName, 1106 NULL, 1107 CIFS_MAX_DOMAINNAME_LEN, 1108 *pbuffer, &tmp, 1109 nls_cp); 1110 1111 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1112 NULL, 1113 CIFS_MAX_WORKSTATION_LEN, 1114 *pbuffer, &tmp, 1115 nls_cp); 1116 1117 *buflen = tmp - *pbuffer; 1118 setup_ntlm_neg_ret: 1119 return rc; 1120 } 1121 1122 /* 1123 * Build ntlmssp blob with additional fields, such as version, 1124 * supported by modern servers. For safety limit to SMB3 or later 1125 * See notes in MS-NLMP Section 2.2.2.1 e.g. 1126 */ 1127 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 1128 u16 *buflen, 1129 struct cifs_ses *ses, 1130 struct TCP_Server_Info *server, 1131 const struct nls_table *nls_cp) 1132 { 1133 int rc = 0; 1134 struct negotiate_message *sec_blob; 1135 __u32 flags; 1136 unsigned char *tmp; 1137 int len; 1138 1139 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 1140 *pbuffer = kmalloc(len, GFP_KERNEL); 1141 if (!*pbuffer) { 1142 rc = -ENOMEM; 1143 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1144 *buflen = 0; 1145 goto setup_ntlm_smb3_neg_ret; 1146 } 1147 sec_blob = (struct negotiate_message *)*pbuffer; 1148 1149 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 1150 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1151 sec_blob->MessageType = NtLmNegotiate; 1152 1153 /* BB is NTLMV2 session security format easier to use here? */ 1154 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1155 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1156 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1157 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1158 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 1159 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1160 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1161 1162 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1163 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1164 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1165 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1166 1167 tmp = *pbuffer + sizeof(struct negotiate_message); 1168 ses->ntlmssp->client_flags = flags; 1169 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1170 1171 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1172 cifs_security_buffer_from_str(&sec_blob->DomainName, 1173 NULL, 1174 CIFS_MAX_DOMAINNAME_LEN, 1175 *pbuffer, &tmp, 1176 nls_cp); 1177 1178 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1179 NULL, 1180 CIFS_MAX_WORKSTATION_LEN, 1181 *pbuffer, &tmp, 1182 nls_cp); 1183 1184 *buflen = tmp - *pbuffer; 1185 setup_ntlm_smb3_neg_ret: 1186 return rc; 1187 } 1188 1189 1190 /* See MS-NLMP 2.2.1.3 */ 1191 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1192 u16 *buflen, 1193 struct cifs_ses *ses, 1194 struct TCP_Server_Info *server, 1195 const struct nls_table *nls_cp) 1196 { 1197 int rc; 1198 AUTHENTICATE_MESSAGE *sec_blob; 1199 __u32 flags; 1200 unsigned char *tmp; 1201 int len; 1202 1203 rc = setup_ntlmv2_rsp(ses, nls_cp); 1204 if (rc) { 1205 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1206 *buflen = 0; 1207 goto setup_ntlmv2_ret; 1208 } 1209 1210 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1211 *pbuffer = kmalloc(len, GFP_KERNEL); 1212 if (!*pbuffer) { 1213 rc = -ENOMEM; 1214 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1215 *buflen = 0; 1216 goto setup_ntlmv2_ret; 1217 } 1218 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1219 1220 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1221 sec_blob->MessageType = NtLmAuthenticate; 1222 1223 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1224 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1225 /* we only send version information in ntlmssp negotiate, so do not set this flag */ 1226 flags = flags & ~NTLMSSP_NEGOTIATE_VERSION; 1227 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1228 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1229 1230 sec_blob->LmChallengeResponse.BufferOffset = 1231 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1232 sec_blob->LmChallengeResponse.Length = 0; 1233 sec_blob->LmChallengeResponse.MaximumLength = 0; 1234 1235 sec_blob->NtChallengeResponse.BufferOffset = 1236 cpu_to_le32(tmp - *pbuffer); 1237 if (ses->user_name != NULL) { 1238 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1239 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1240 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1241 1242 sec_blob->NtChallengeResponse.Length = 1243 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1244 sec_blob->NtChallengeResponse.MaximumLength = 1245 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1246 } else { 1247 /* 1248 * don't send an NT Response for anonymous access 1249 */ 1250 sec_blob->NtChallengeResponse.Length = 0; 1251 sec_blob->NtChallengeResponse.MaximumLength = 0; 1252 } 1253 1254 cifs_security_buffer_from_str(&sec_blob->DomainName, 1255 ses->domainName, 1256 CIFS_MAX_DOMAINNAME_LEN, 1257 *pbuffer, &tmp, 1258 nls_cp); 1259 1260 cifs_security_buffer_from_str(&sec_blob->UserName, 1261 ses->user_name, 1262 CIFS_MAX_USERNAME_LEN, 1263 *pbuffer, &tmp, 1264 nls_cp); 1265 1266 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1267 ses->workstation_name, 1268 ntlmssp_workstation_name_size(ses), 1269 *pbuffer, &tmp, 1270 nls_cp); 1271 1272 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1273 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1274 !calc_seckey(ses)) { 1275 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1276 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1277 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1278 sec_blob->SessionKey.MaximumLength = 1279 cpu_to_le16(CIFS_CPHTXT_SIZE); 1280 tmp += CIFS_CPHTXT_SIZE; 1281 } else { 1282 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1283 sec_blob->SessionKey.Length = 0; 1284 sec_blob->SessionKey.MaximumLength = 0; 1285 } 1286 1287 *buflen = tmp - *pbuffer; 1288 setup_ntlmv2_ret: 1289 return rc; 1290 } 1291 1292 enum securityEnum 1293 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1294 { 1295 switch (server->negflavor) { 1296 case CIFS_NEGFLAVOR_EXTENDED: 1297 switch (requested) { 1298 case Kerberos: 1299 case RawNTLMSSP: 1300 return requested; 1301 case Unspecified: 1302 if (server->sec_ntlmssp && 1303 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1304 return RawNTLMSSP; 1305 if ((server->sec_kerberos || server->sec_mskerberos) && 1306 (global_secflags & CIFSSEC_MAY_KRB5)) 1307 return Kerberos; 1308 fallthrough; 1309 default: 1310 return Unspecified; 1311 } 1312 case CIFS_NEGFLAVOR_UNENCAP: 1313 switch (requested) { 1314 case NTLMv2: 1315 return requested; 1316 case Unspecified: 1317 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1318 return NTLMv2; 1319 break; 1320 default: 1321 break; 1322 } 1323 fallthrough; 1324 default: 1325 return Unspecified; 1326 } 1327 } 1328 1329 struct sess_data { 1330 unsigned int xid; 1331 struct cifs_ses *ses; 1332 struct TCP_Server_Info *server; 1333 struct nls_table *nls_cp; 1334 void (*func)(struct sess_data *); 1335 int result; 1336 1337 /* we will send the SMB in three pieces: 1338 * a fixed length beginning part, an optional 1339 * SPNEGO blob (which can be zero length), and a 1340 * last part which will include the strings 1341 * and rest of bcc area. This allows us to avoid 1342 * a large buffer 17K allocation 1343 */ 1344 int buf0_type; 1345 struct kvec iov[3]; 1346 }; 1347 1348 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1349 static int 1350 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1351 { 1352 int rc; 1353 struct cifs_ses *ses = sess_data->ses; 1354 struct smb_hdr *smb_buf; 1355 1356 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1357 (void **)&smb_buf); 1358 1359 if (rc) 1360 return rc; 1361 1362 sess_data->iov[0].iov_base = (char *)smb_buf; 1363 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1364 /* 1365 * This variable will be used to clear the buffer 1366 * allocated above in case of any error in the calling function. 1367 */ 1368 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1369 1370 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1371 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1372 if (!sess_data->iov[2].iov_base) { 1373 rc = -ENOMEM; 1374 goto out_free_smb_buf; 1375 } 1376 1377 return 0; 1378 1379 out_free_smb_buf: 1380 cifs_small_buf_release(smb_buf); 1381 sess_data->iov[0].iov_base = NULL; 1382 sess_data->iov[0].iov_len = 0; 1383 sess_data->buf0_type = CIFS_NO_BUFFER; 1384 return rc; 1385 } 1386 1387 static void 1388 sess_free_buffer(struct sess_data *sess_data) 1389 { 1390 struct kvec *iov = sess_data->iov; 1391 1392 /* 1393 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1394 * Note that iov[1] is already freed by caller. 1395 */ 1396 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1397 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1398 1399 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1400 sess_data->buf0_type = CIFS_NO_BUFFER; 1401 kfree_sensitive(iov[2].iov_base); 1402 } 1403 1404 static int 1405 sess_establish_session(struct sess_data *sess_data) 1406 { 1407 struct cifs_ses *ses = sess_data->ses; 1408 struct TCP_Server_Info *server = sess_data->server; 1409 1410 cifs_server_lock(server); 1411 if (!server->session_estab) { 1412 if (server->sign) { 1413 server->session_key.response = 1414 kmemdup(ses->auth_key.response, 1415 ses->auth_key.len, GFP_KERNEL); 1416 if (!server->session_key.response) { 1417 cifs_server_unlock(server); 1418 return -ENOMEM; 1419 } 1420 server->session_key.len = 1421 ses->auth_key.len; 1422 } 1423 server->sequence_number = 0x2; 1424 server->session_estab = true; 1425 } 1426 cifs_server_unlock(server); 1427 1428 cifs_dbg(FYI, "CIFS session established successfully\n"); 1429 return 0; 1430 } 1431 1432 static int 1433 sess_sendreceive(struct sess_data *sess_data) 1434 { 1435 int rc; 1436 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1437 __u16 count; 1438 struct kvec rsp_iov = { NULL, 0 }; 1439 1440 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1441 be32_add_cpu(&smb_buf->smb_buf_length, count); 1442 put_bcc(count, smb_buf); 1443 1444 rc = SendReceive2(sess_data->xid, sess_data->ses, 1445 sess_data->iov, 3 /* num_iovecs */, 1446 &sess_data->buf0_type, 1447 CIFS_LOG_ERROR, &rsp_iov); 1448 cifs_small_buf_release(sess_data->iov[0].iov_base); 1449 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1450 1451 return rc; 1452 } 1453 1454 static void 1455 sess_auth_ntlmv2(struct sess_data *sess_data) 1456 { 1457 int rc = 0; 1458 struct smb_hdr *smb_buf; 1459 SESSION_SETUP_ANDX *pSMB; 1460 char *bcc_ptr; 1461 struct cifs_ses *ses = sess_data->ses; 1462 struct TCP_Server_Info *server = sess_data->server; 1463 __u32 capabilities; 1464 __u16 bytes_remaining; 1465 1466 /* old style NTLM sessionsetup */ 1467 /* wct = 13 */ 1468 rc = sess_alloc_buffer(sess_data, 13); 1469 if (rc) 1470 goto out; 1471 1472 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1473 bcc_ptr = sess_data->iov[2].iov_base; 1474 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1475 1476 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1477 1478 /* LM2 password would be here if we supported it */ 1479 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1480 1481 if (ses->user_name != NULL) { 1482 /* calculate nlmv2 response and session key */ 1483 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1484 if (rc) { 1485 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1486 goto out; 1487 } 1488 1489 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1490 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1491 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1492 1493 /* set case sensitive password length after tilen may get 1494 * assigned, tilen is 0 otherwise. 1495 */ 1496 pSMB->req_no_secext.CaseSensitivePasswordLength = 1497 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1498 } else { 1499 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1500 } 1501 1502 if (ses->capabilities & CAP_UNICODE) { 1503 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1504 *bcc_ptr = 0; 1505 bcc_ptr++; 1506 } 1507 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1508 } else { 1509 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1510 } 1511 1512 1513 sess_data->iov[2].iov_len = (long) bcc_ptr - 1514 (long) sess_data->iov[2].iov_base; 1515 1516 rc = sess_sendreceive(sess_data); 1517 if (rc) 1518 goto out; 1519 1520 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1521 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1522 1523 if (smb_buf->WordCount != 3) { 1524 rc = -EIO; 1525 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1526 goto out; 1527 } 1528 1529 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1530 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1531 1532 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1533 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1534 1535 bytes_remaining = get_bcc(smb_buf); 1536 bcc_ptr = pByteArea(smb_buf); 1537 1538 /* BB check if Unicode and decode strings */ 1539 if (bytes_remaining == 0) { 1540 /* no string area to decode, do nothing */ 1541 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1542 /* unicode string area must be word-aligned */ 1543 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1544 ++bcc_ptr; 1545 --bytes_remaining; 1546 } 1547 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1548 sess_data->nls_cp); 1549 } else { 1550 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1551 sess_data->nls_cp); 1552 } 1553 1554 rc = sess_establish_session(sess_data); 1555 out: 1556 sess_data->result = rc; 1557 sess_data->func = NULL; 1558 sess_free_buffer(sess_data); 1559 kfree_sensitive(ses->auth_key.response); 1560 ses->auth_key.response = NULL; 1561 } 1562 1563 #ifdef CONFIG_CIFS_UPCALL 1564 static void 1565 sess_auth_kerberos(struct sess_data *sess_data) 1566 { 1567 int rc = 0; 1568 struct smb_hdr *smb_buf; 1569 SESSION_SETUP_ANDX *pSMB; 1570 char *bcc_ptr; 1571 struct cifs_ses *ses = sess_data->ses; 1572 struct TCP_Server_Info *server = sess_data->server; 1573 __u32 capabilities; 1574 __u16 bytes_remaining; 1575 struct key *spnego_key = NULL; 1576 struct cifs_spnego_msg *msg; 1577 u16 blob_len; 1578 1579 /* extended security */ 1580 /* wct = 12 */ 1581 rc = sess_alloc_buffer(sess_data, 12); 1582 if (rc) 1583 goto out; 1584 1585 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1586 bcc_ptr = sess_data->iov[2].iov_base; 1587 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1588 1589 spnego_key = cifs_get_spnego_key(ses, server); 1590 if (IS_ERR(spnego_key)) { 1591 rc = PTR_ERR(spnego_key); 1592 spnego_key = NULL; 1593 goto out; 1594 } 1595 1596 msg = spnego_key->payload.data[0]; 1597 /* 1598 * check version field to make sure that cifs.upcall is 1599 * sending us a response in an expected form 1600 */ 1601 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1602 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1603 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1604 rc = -EKEYREJECTED; 1605 goto out_put_spnego_key; 1606 } 1607 1608 kfree_sensitive(ses->auth_key.response); 1609 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1610 GFP_KERNEL); 1611 if (!ses->auth_key.response) { 1612 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1613 msg->sesskey_len); 1614 rc = -ENOMEM; 1615 goto out_put_spnego_key; 1616 } 1617 ses->auth_key.len = msg->sesskey_len; 1618 1619 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1620 capabilities |= CAP_EXTENDED_SECURITY; 1621 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1622 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1623 sess_data->iov[1].iov_len = msg->secblob_len; 1624 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1625 1626 if (ses->capabilities & CAP_UNICODE) { 1627 /* unicode strings must be word aligned */ 1628 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1629 *bcc_ptr = 0; 1630 bcc_ptr++; 1631 } 1632 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1633 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1634 } else { 1635 /* BB: is this right? */ 1636 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1637 } 1638 1639 sess_data->iov[2].iov_len = (long) bcc_ptr - 1640 (long) sess_data->iov[2].iov_base; 1641 1642 rc = sess_sendreceive(sess_data); 1643 if (rc) 1644 goto out_put_spnego_key; 1645 1646 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1647 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1648 1649 if (smb_buf->WordCount != 4) { 1650 rc = -EIO; 1651 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1652 goto out_put_spnego_key; 1653 } 1654 1655 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1656 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1657 1658 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1659 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1660 1661 bytes_remaining = get_bcc(smb_buf); 1662 bcc_ptr = pByteArea(smb_buf); 1663 1664 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1665 if (blob_len > bytes_remaining) { 1666 cifs_dbg(VFS, "bad security blob length %d\n", 1667 blob_len); 1668 rc = -EINVAL; 1669 goto out_put_spnego_key; 1670 } 1671 bcc_ptr += blob_len; 1672 bytes_remaining -= blob_len; 1673 1674 /* BB check if Unicode and decode strings */ 1675 if (bytes_remaining == 0) { 1676 /* no string area to decode, do nothing */ 1677 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1678 /* unicode string area must be word-aligned */ 1679 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1680 ++bcc_ptr; 1681 --bytes_remaining; 1682 } 1683 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1684 sess_data->nls_cp); 1685 } else { 1686 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1687 sess_data->nls_cp); 1688 } 1689 1690 rc = sess_establish_session(sess_data); 1691 out_put_spnego_key: 1692 key_invalidate(spnego_key); 1693 key_put(spnego_key); 1694 out: 1695 sess_data->result = rc; 1696 sess_data->func = NULL; 1697 sess_free_buffer(sess_data); 1698 kfree_sensitive(ses->auth_key.response); 1699 ses->auth_key.response = NULL; 1700 } 1701 1702 #endif /* ! CONFIG_CIFS_UPCALL */ 1703 1704 /* 1705 * The required kvec buffers have to be allocated before calling this 1706 * function. 1707 */ 1708 static int 1709 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1710 { 1711 SESSION_SETUP_ANDX *pSMB; 1712 struct cifs_ses *ses = sess_data->ses; 1713 struct TCP_Server_Info *server = sess_data->server; 1714 __u32 capabilities; 1715 char *bcc_ptr; 1716 1717 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1718 1719 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1720 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1721 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1722 return -ENOSYS; 1723 } 1724 1725 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1726 capabilities |= CAP_EXTENDED_SECURITY; 1727 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1728 1729 bcc_ptr = sess_data->iov[2].iov_base; 1730 /* unicode strings must be word aligned */ 1731 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1732 *bcc_ptr = 0; 1733 bcc_ptr++; 1734 } 1735 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1736 1737 sess_data->iov[2].iov_len = (long) bcc_ptr - 1738 (long) sess_data->iov[2].iov_base; 1739 1740 return 0; 1741 } 1742 1743 static void 1744 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1745 1746 static void 1747 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1748 { 1749 int rc; 1750 struct smb_hdr *smb_buf; 1751 SESSION_SETUP_ANDX *pSMB; 1752 struct cifs_ses *ses = sess_data->ses; 1753 struct TCP_Server_Info *server = sess_data->server; 1754 __u16 bytes_remaining; 1755 char *bcc_ptr; 1756 unsigned char *ntlmsspblob = NULL; 1757 u16 blob_len; 1758 1759 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1760 1761 /* 1762 * if memory allocation is successful, caller of this function 1763 * frees it. 1764 */ 1765 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1766 if (!ses->ntlmssp) { 1767 rc = -ENOMEM; 1768 goto out; 1769 } 1770 ses->ntlmssp->sesskey_per_smbsess = false; 1771 1772 /* wct = 12 */ 1773 rc = sess_alloc_buffer(sess_data, 12); 1774 if (rc) 1775 goto out; 1776 1777 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1778 1779 /* Build security blob before we assemble the request */ 1780 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1781 &blob_len, ses, server, 1782 sess_data->nls_cp); 1783 if (rc) 1784 goto out_free_ntlmsspblob; 1785 1786 sess_data->iov[1].iov_len = blob_len; 1787 sess_data->iov[1].iov_base = ntlmsspblob; 1788 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1789 1790 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1791 if (rc) 1792 goto out_free_ntlmsspblob; 1793 1794 rc = sess_sendreceive(sess_data); 1795 1796 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1797 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1798 1799 /* If true, rc here is expected and not an error */ 1800 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1801 smb_buf->Status.CifsError == 1802 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1803 rc = 0; 1804 1805 if (rc) 1806 goto out_free_ntlmsspblob; 1807 1808 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1809 1810 if (smb_buf->WordCount != 4) { 1811 rc = -EIO; 1812 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1813 goto out_free_ntlmsspblob; 1814 } 1815 1816 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1817 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1818 1819 bytes_remaining = get_bcc(smb_buf); 1820 bcc_ptr = pByteArea(smb_buf); 1821 1822 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1823 if (blob_len > bytes_remaining) { 1824 cifs_dbg(VFS, "bad security blob length %d\n", 1825 blob_len); 1826 rc = -EINVAL; 1827 goto out_free_ntlmsspblob; 1828 } 1829 1830 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1831 1832 out_free_ntlmsspblob: 1833 kfree_sensitive(ntlmsspblob); 1834 out: 1835 sess_free_buffer(sess_data); 1836 1837 if (!rc) { 1838 sess_data->func = sess_auth_rawntlmssp_authenticate; 1839 return; 1840 } 1841 1842 /* Else error. Cleanup */ 1843 kfree_sensitive(ses->auth_key.response); 1844 ses->auth_key.response = NULL; 1845 kfree_sensitive(ses->ntlmssp); 1846 ses->ntlmssp = NULL; 1847 1848 sess_data->func = NULL; 1849 sess_data->result = rc; 1850 } 1851 1852 static void 1853 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1854 { 1855 int rc; 1856 struct smb_hdr *smb_buf; 1857 SESSION_SETUP_ANDX *pSMB; 1858 struct cifs_ses *ses = sess_data->ses; 1859 struct TCP_Server_Info *server = sess_data->server; 1860 __u16 bytes_remaining; 1861 char *bcc_ptr; 1862 unsigned char *ntlmsspblob = NULL; 1863 u16 blob_len; 1864 1865 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1866 1867 /* wct = 12 */ 1868 rc = sess_alloc_buffer(sess_data, 12); 1869 if (rc) 1870 goto out; 1871 1872 /* Build security blob before we assemble the request */ 1873 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1874 smb_buf = (struct smb_hdr *)pSMB; 1875 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1876 &blob_len, ses, server, 1877 sess_data->nls_cp); 1878 if (rc) 1879 goto out_free_ntlmsspblob; 1880 sess_data->iov[1].iov_len = blob_len; 1881 sess_data->iov[1].iov_base = ntlmsspblob; 1882 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1883 /* 1884 * Make sure that we tell the server that we are using 1885 * the uid that it just gave us back on the response 1886 * (challenge) 1887 */ 1888 smb_buf->Uid = ses->Suid; 1889 1890 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1891 if (rc) 1892 goto out_free_ntlmsspblob; 1893 1894 rc = sess_sendreceive(sess_data); 1895 if (rc) 1896 goto out_free_ntlmsspblob; 1897 1898 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1899 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1900 if (smb_buf->WordCount != 4) { 1901 rc = -EIO; 1902 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1903 goto out_free_ntlmsspblob; 1904 } 1905 1906 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1907 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1908 1909 if (ses->Suid != smb_buf->Uid) { 1910 ses->Suid = smb_buf->Uid; 1911 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1912 } 1913 1914 bytes_remaining = get_bcc(smb_buf); 1915 bcc_ptr = pByteArea(smb_buf); 1916 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1917 if (blob_len > bytes_remaining) { 1918 cifs_dbg(VFS, "bad security blob length %d\n", 1919 blob_len); 1920 rc = -EINVAL; 1921 goto out_free_ntlmsspblob; 1922 } 1923 bcc_ptr += blob_len; 1924 bytes_remaining -= blob_len; 1925 1926 1927 /* BB check if Unicode and decode strings */ 1928 if (bytes_remaining == 0) { 1929 /* no string area to decode, do nothing */ 1930 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1931 /* unicode string area must be word-aligned */ 1932 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1933 ++bcc_ptr; 1934 --bytes_remaining; 1935 } 1936 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1937 sess_data->nls_cp); 1938 } else { 1939 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1940 sess_data->nls_cp); 1941 } 1942 1943 out_free_ntlmsspblob: 1944 kfree_sensitive(ntlmsspblob); 1945 out: 1946 sess_free_buffer(sess_data); 1947 1948 if (!rc) 1949 rc = sess_establish_session(sess_data); 1950 1951 /* Cleanup */ 1952 kfree_sensitive(ses->auth_key.response); 1953 ses->auth_key.response = NULL; 1954 kfree_sensitive(ses->ntlmssp); 1955 ses->ntlmssp = NULL; 1956 1957 sess_data->func = NULL; 1958 sess_data->result = rc; 1959 } 1960 1961 static int select_sec(struct sess_data *sess_data) 1962 { 1963 int type; 1964 struct cifs_ses *ses = sess_data->ses; 1965 struct TCP_Server_Info *server = sess_data->server; 1966 1967 type = cifs_select_sectype(server, ses->sectype); 1968 cifs_dbg(FYI, "sess setup type %d\n", type); 1969 if (type == Unspecified) { 1970 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1971 return -EINVAL; 1972 } 1973 1974 switch (type) { 1975 case NTLMv2: 1976 sess_data->func = sess_auth_ntlmv2; 1977 break; 1978 case Kerberos: 1979 #ifdef CONFIG_CIFS_UPCALL 1980 sess_data->func = sess_auth_kerberos; 1981 break; 1982 #else 1983 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1984 return -ENOSYS; 1985 #endif /* CONFIG_CIFS_UPCALL */ 1986 case RawNTLMSSP: 1987 sess_data->func = sess_auth_rawntlmssp_negotiate; 1988 break; 1989 default: 1990 cifs_dbg(VFS, "secType %d not supported!\n", type); 1991 return -ENOSYS; 1992 } 1993 1994 return 0; 1995 } 1996 1997 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1998 struct TCP_Server_Info *server, 1999 const struct nls_table *nls_cp) 2000 { 2001 int rc = 0; 2002 struct sess_data *sess_data; 2003 2004 if (ses == NULL) { 2005 WARN(1, "%s: ses == NULL!", __func__); 2006 return -EINVAL; 2007 } 2008 2009 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 2010 if (!sess_data) 2011 return -ENOMEM; 2012 2013 sess_data->xid = xid; 2014 sess_data->ses = ses; 2015 sess_data->server = server; 2016 sess_data->buf0_type = CIFS_NO_BUFFER; 2017 sess_data->nls_cp = (struct nls_table *) nls_cp; 2018 2019 rc = select_sec(sess_data); 2020 if (rc) 2021 goto out; 2022 2023 while (sess_data->func) 2024 sess_data->func(sess_data); 2025 2026 /* Store result before we free sess_data */ 2027 rc = sess_data->result; 2028 2029 out: 2030 kfree_sensitive(sess_data); 2031 return rc; 2032 } 2033 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 2034