1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool 31 is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33 { 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53 } 54 55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56 { 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68 } 69 70 /* channel helper functions. assumed that chan_lock is held by caller. */ 71 72 int 73 cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75 { 76 unsigned int i; 77 78 for (i = 0; i < ses->chan_count; i++) { 79 if (ses->chans[i].server == server) 80 return i; 81 } 82 83 /* If we didn't find the channel, it is likely a bug */ 84 if (server) 85 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 86 server->conn_id); 87 WARN_ON(1); 88 return CIFS_INVAL_CHAN_INDEX; 89 } 90 91 void 92 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 93 struct TCP_Server_Info *server) 94 { 95 int chan_index = cifs_ses_get_chan_index(ses, server); 96 97 if (chan_index == CIFS_INVAL_CHAN_INDEX) 98 return; 99 100 ses->chans[chan_index].in_reconnect = true; 101 } 102 103 void 104 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 105 struct TCP_Server_Info *server) 106 { 107 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 108 if (chan_index == CIFS_INVAL_CHAN_INDEX) 109 return; 110 111 ses->chans[chan_index].in_reconnect = false; 112 } 113 114 bool 115 cifs_chan_in_reconnect(struct cifs_ses *ses, 116 struct TCP_Server_Info *server) 117 { 118 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 119 if (chan_index == CIFS_INVAL_CHAN_INDEX) 120 return true; /* err on the safer side */ 121 122 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 123 } 124 125 void 126 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 127 struct TCP_Server_Info *server) 128 { 129 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 130 if (chan_index == CIFS_INVAL_CHAN_INDEX) 131 return; 132 133 set_bit(chan_index, &ses->chans_need_reconnect); 134 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 135 chan_index, ses->chans_need_reconnect); 136 } 137 138 void 139 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 140 struct TCP_Server_Info *server) 141 { 142 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 143 if (chan_index == CIFS_INVAL_CHAN_INDEX) 144 return; 145 146 clear_bit(chan_index, &ses->chans_need_reconnect); 147 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 148 chan_index, ses->chans_need_reconnect); 149 } 150 151 bool 152 cifs_chan_needs_reconnect(struct cifs_ses *ses, 153 struct TCP_Server_Info *server) 154 { 155 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 156 if (chan_index == CIFS_INVAL_CHAN_INDEX) 157 return true; /* err on the safer side */ 158 159 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 160 } 161 162 bool 163 cifs_chan_is_iface_active(struct cifs_ses *ses, 164 struct TCP_Server_Info *server) 165 { 166 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 167 if (chan_index == CIFS_INVAL_CHAN_INDEX) 168 return true; /* err on the safer side */ 169 170 return ses->chans[chan_index].iface && 171 ses->chans[chan_index].iface->is_active; 172 } 173 174 /* returns number of channels added */ 175 int cifs_try_adding_channels(struct cifs_ses *ses) 176 { 177 struct TCP_Server_Info *server = ses->server; 178 int old_chan_count, new_chan_count; 179 int left; 180 int rc = 0; 181 int tries = 0; 182 size_t iface_weight = 0, iface_min_speed = 0; 183 struct cifs_server_iface *iface = NULL, *niface = NULL; 184 struct cifs_server_iface *last_iface = NULL; 185 186 spin_lock(&ses->chan_lock); 187 188 new_chan_count = old_chan_count = ses->chan_count; 189 left = ses->chan_max - ses->chan_count; 190 191 if (left <= 0) { 192 spin_unlock(&ses->chan_lock); 193 cifs_dbg(FYI, 194 "ses already at max_channels (%zu), nothing to open\n", 195 ses->chan_max); 196 return 0; 197 } 198 199 if (server->dialect < SMB30_PROT_ID) { 200 spin_unlock(&ses->chan_lock); 201 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 202 return 0; 203 } 204 205 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 206 spin_unlock(&ses->chan_lock); 207 cifs_server_dbg(VFS, "no multichannel support\n"); 208 return 0; 209 } 210 spin_unlock(&ses->chan_lock); 211 212 while (left > 0) { 213 214 tries++; 215 if (tries > 3*ses->chan_max) { 216 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 217 left); 218 break; 219 } 220 221 spin_lock(&ses->iface_lock); 222 if (!ses->iface_count) { 223 spin_unlock(&ses->iface_lock); 224 cifs_dbg(VFS, "server %s does not advertise interfaces\n", 225 ses->server->hostname); 226 break; 227 } 228 229 if (!iface) 230 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 231 iface_head); 232 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 233 iface_head); 234 iface_min_speed = last_iface->speed; 235 236 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 237 iface_head) { 238 /* do not mix rdma and non-rdma interfaces */ 239 if (iface->rdma_capable != ses->server->rdma) 240 continue; 241 242 /* skip ifaces that are unusable */ 243 if (!iface->is_active || 244 (is_ses_using_iface(ses, iface) && 245 !iface->rss_capable)) 246 continue; 247 248 /* check if we already allocated enough channels */ 249 iface_weight = iface->speed / iface_min_speed; 250 251 if (iface->weight_fulfilled >= iface_weight) 252 continue; 253 254 /* take ref before unlock */ 255 kref_get(&iface->refcount); 256 257 spin_unlock(&ses->iface_lock); 258 rc = cifs_ses_add_channel(ses, iface); 259 spin_lock(&ses->iface_lock); 260 261 if (rc) { 262 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 263 &iface->sockaddr, 264 rc); 265 kref_put(&iface->refcount, release_iface); 266 continue; 267 } 268 269 iface->num_channels++; 270 iface->weight_fulfilled++; 271 cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n", 272 &iface->sockaddr); 273 break; 274 } 275 276 /* reached end of list. reset weight_fulfilled and start over */ 277 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 278 list_for_each_entry(iface, &ses->iface_list, iface_head) 279 iface->weight_fulfilled = 0; 280 spin_unlock(&ses->iface_lock); 281 iface = NULL; 282 continue; 283 } 284 spin_unlock(&ses->iface_lock); 285 286 left--; 287 new_chan_count++; 288 } 289 290 return new_chan_count - old_chan_count; 291 } 292 293 /* 294 * called when multichannel is disabled by the server. 295 * this always gets called from smb2_reconnect 296 * and cannot get called in parallel threads. 297 */ 298 void 299 cifs_disable_secondary_channels(struct cifs_ses *ses) 300 { 301 int i, chan_count; 302 struct TCP_Server_Info *server; 303 struct cifs_server_iface *iface; 304 305 spin_lock(&ses->chan_lock); 306 chan_count = ses->chan_count; 307 if (chan_count == 1) 308 goto done; 309 310 ses->chan_count = 1; 311 312 /* for all secondary channels reset the need reconnect bit */ 313 ses->chans_need_reconnect &= 1; 314 315 for (i = 1; i < chan_count; i++) { 316 iface = ses->chans[i].iface; 317 server = ses->chans[i].server; 318 319 /* 320 * remove these references first, since we need to unlock 321 * the chan_lock here, since iface_lock is a higher lock 322 */ 323 ses->chans[i].iface = NULL; 324 ses->chans[i].server = NULL; 325 spin_unlock(&ses->chan_lock); 326 327 if (iface) { 328 spin_lock(&ses->iface_lock); 329 kref_put(&iface->refcount, release_iface); 330 iface->num_channels--; 331 if (iface->weight_fulfilled) 332 iface->weight_fulfilled--; 333 spin_unlock(&ses->iface_lock); 334 } 335 336 if (server) { 337 if (!server->terminate) { 338 server->terminate = true; 339 cifs_signal_cifsd_for_reconnect(server, false); 340 } 341 cifs_put_tcp_session(server, false); 342 } 343 344 spin_lock(&ses->chan_lock); 345 } 346 347 done: 348 spin_unlock(&ses->chan_lock); 349 } 350 351 /* 352 * update the iface for the channel if necessary. 353 * will return 0 when iface is updated, 1 if removed, 2 otherwise 354 * Must be called with chan_lock held. 355 */ 356 int 357 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 358 { 359 unsigned int chan_index; 360 size_t iface_weight = 0, iface_min_speed = 0; 361 struct cifs_server_iface *iface = NULL; 362 struct cifs_server_iface *old_iface = NULL; 363 struct cifs_server_iface *last_iface = NULL; 364 struct sockaddr_storage ss; 365 int rc = 0; 366 367 spin_lock(&ses->chan_lock); 368 chan_index = cifs_ses_get_chan_index(ses, server); 369 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 370 spin_unlock(&ses->chan_lock); 371 return 0; 372 } 373 374 if (ses->chans[chan_index].iface) { 375 old_iface = ses->chans[chan_index].iface; 376 if (old_iface->is_active) { 377 spin_unlock(&ses->chan_lock); 378 return 1; 379 } 380 } 381 spin_unlock(&ses->chan_lock); 382 383 spin_lock(&server->srv_lock); 384 ss = server->dstaddr; 385 spin_unlock(&server->srv_lock); 386 387 spin_lock(&ses->iface_lock); 388 if (!ses->iface_count) { 389 spin_unlock(&ses->iface_lock); 390 cifs_dbg(VFS, "server %s does not advertise interfaces\n", ses->server->hostname); 391 return 0; 392 } 393 394 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 395 iface_head); 396 iface_min_speed = last_iface->speed; 397 398 /* then look for a new one */ 399 list_for_each_entry(iface, &ses->iface_list, iface_head) { 400 if (!chan_index) { 401 /* if we're trying to get the updated iface for primary channel */ 402 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 403 (struct sockaddr *) &iface->sockaddr)) 404 continue; 405 406 kref_get(&iface->refcount); 407 break; 408 } 409 410 /* do not mix rdma and non-rdma interfaces */ 411 if (iface->rdma_capable != server->rdma) 412 continue; 413 414 if (!iface->is_active || 415 (is_ses_using_iface(ses, iface) && 416 !iface->rss_capable)) { 417 continue; 418 } 419 420 /* check if we already allocated enough channels */ 421 iface_weight = iface->speed / iface_min_speed; 422 423 if (iface->weight_fulfilled >= iface_weight) 424 continue; 425 426 kref_get(&iface->refcount); 427 break; 428 } 429 430 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 431 rc = 1; 432 iface = NULL; 433 cifs_dbg(FYI, "unable to find a suitable iface\n"); 434 } 435 436 if (!chan_index && !iface) { 437 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 438 &ss); 439 spin_unlock(&ses->iface_lock); 440 return 0; 441 } 442 443 /* now drop the ref to the current iface */ 444 if (old_iface && iface) { 445 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 446 &old_iface->sockaddr, 447 &iface->sockaddr); 448 449 old_iface->num_channels--; 450 if (old_iface->weight_fulfilled) 451 old_iface->weight_fulfilled--; 452 iface->num_channels++; 453 iface->weight_fulfilled++; 454 455 kref_put(&old_iface->refcount, release_iface); 456 } else if (old_iface) { 457 cifs_dbg(FYI, "releasing ref to iface: %pIS\n", 458 &old_iface->sockaddr); 459 460 old_iface->num_channels--; 461 if (old_iface->weight_fulfilled) 462 old_iface->weight_fulfilled--; 463 464 kref_put(&old_iface->refcount, release_iface); 465 } else if (!chan_index) { 466 /* special case: update interface for primary channel */ 467 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 468 &iface->sockaddr); 469 iface->num_channels++; 470 iface->weight_fulfilled++; 471 } else { 472 WARN_ON(!iface); 473 cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr); 474 } 475 spin_unlock(&ses->iface_lock); 476 477 spin_lock(&ses->chan_lock); 478 chan_index = cifs_ses_get_chan_index(ses, server); 479 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 480 spin_unlock(&ses->chan_lock); 481 return 0; 482 } 483 484 ses->chans[chan_index].iface = iface; 485 486 /* No iface is found. if secondary chan, drop connection */ 487 if (!iface && SERVER_IS_CHAN(server)) 488 ses->chans[chan_index].server = NULL; 489 490 spin_unlock(&ses->chan_lock); 491 492 if (!iface && SERVER_IS_CHAN(server)) 493 cifs_put_tcp_session(server, false); 494 495 return rc; 496 } 497 498 /* 499 * If server is a channel of ses, return the corresponding enclosing 500 * cifs_chan otherwise return NULL. 501 */ 502 struct cifs_chan * 503 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 504 { 505 int i; 506 507 spin_lock(&ses->chan_lock); 508 for (i = 0; i < ses->chan_count; i++) { 509 if (ses->chans[i].server == server) { 510 spin_unlock(&ses->chan_lock); 511 return &ses->chans[i]; 512 } 513 } 514 spin_unlock(&ses->chan_lock); 515 return NULL; 516 } 517 518 static int 519 cifs_ses_add_channel(struct cifs_ses *ses, 520 struct cifs_server_iface *iface) 521 { 522 struct TCP_Server_Info *chan_server; 523 struct cifs_chan *chan; 524 struct smb3_fs_context *ctx; 525 static const char unc_fmt[] = "\\%s\\foo"; 526 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 527 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 528 size_t len; 529 int rc; 530 unsigned int xid = get_xid(); 531 532 if (iface->sockaddr.ss_family == AF_INET) 533 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 534 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 535 &ipv4->sin_addr); 536 else 537 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 538 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 539 &ipv6->sin6_addr); 540 541 /* 542 * Setup a ctx with mostly the same info as the existing 543 * session and overwrite it with the requested iface data. 544 * 545 * We need to setup at least the fields used for negprot and 546 * sesssetup. 547 * 548 * We only need the ctx here, so we can reuse memory from 549 * the session and server without caring about memory 550 * management. 551 */ 552 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 553 if (!ctx) { 554 rc = -ENOMEM; 555 goto out_free_xid; 556 } 557 558 /* Always make new connection for now (TODO?) */ 559 ctx->nosharesock = true; 560 561 /* Auth */ 562 ctx->domainauto = ses->domainAuto; 563 ctx->domainname = ses->domainName; 564 565 /* no hostname for extra channels */ 566 ctx->server_hostname = ""; 567 568 ctx->username = ses->user_name; 569 ctx->password = ses->password; 570 ctx->sectype = ses->sectype; 571 ctx->sign = ses->sign; 572 573 /* UNC and paths */ 574 /* XXX: Use ses->server->hostname? */ 575 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 576 ctx->UNC = kzalloc(len, GFP_KERNEL); 577 if (!ctx->UNC) { 578 rc = -ENOMEM; 579 goto out_free_ctx; 580 } 581 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 582 ctx->prepath = ""; 583 584 /* Reuse same version as master connection */ 585 ctx->vals = ses->server->vals; 586 ctx->ops = ses->server->ops; 587 588 ctx->noblocksnd = ses->server->noblocksnd; 589 ctx->noautotune = ses->server->noautotune; 590 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 591 ctx->echo_interval = ses->server->echo_interval / HZ; 592 ctx->max_credits = ses->server->max_credits; 593 594 /* 595 * This will be used for encoding/decoding user/domain/pw 596 * during sess setup auth. 597 */ 598 ctx->local_nls = ses->local_nls; 599 600 /* Use RDMA if possible */ 601 ctx->rdma = iface->rdma_capable; 602 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 603 604 /* reuse master con client guid */ 605 memcpy(&ctx->client_guid, ses->server->client_guid, 606 sizeof(ctx->client_guid)); 607 ctx->use_client_guid = true; 608 609 chan_server = cifs_get_tcp_session(ctx, ses->server); 610 611 spin_lock(&ses->chan_lock); 612 chan = &ses->chans[ses->chan_count]; 613 chan->server = chan_server; 614 if (IS_ERR(chan->server)) { 615 rc = PTR_ERR(chan->server); 616 chan->server = NULL; 617 spin_unlock(&ses->chan_lock); 618 goto out; 619 } 620 chan->iface = iface; 621 ses->chan_count++; 622 atomic_set(&ses->chan_seq, 0); 623 624 /* Mark this channel as needing connect/setup */ 625 cifs_chan_set_need_reconnect(ses, chan->server); 626 627 spin_unlock(&ses->chan_lock); 628 629 mutex_lock(&ses->session_mutex); 630 /* 631 * We need to allocate the server crypto now as we will need 632 * to sign packets before we generate the channel signing key 633 * (we sign with the session key) 634 */ 635 rc = smb311_crypto_shash_allocate(chan->server); 636 if (rc) { 637 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 638 mutex_unlock(&ses->session_mutex); 639 goto out; 640 } 641 642 rc = cifs_negotiate_protocol(xid, ses, chan->server); 643 if (!rc) 644 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 645 646 mutex_unlock(&ses->session_mutex); 647 648 out: 649 if (rc && chan->server) { 650 cifs_put_tcp_session(chan->server, 0); 651 652 spin_lock(&ses->chan_lock); 653 654 /* we rely on all bits beyond chan_count to be clear */ 655 cifs_chan_clear_need_reconnect(ses, chan->server); 656 ses->chan_count--; 657 /* 658 * chan_count should never reach 0 as at least the primary 659 * channel is always allocated 660 */ 661 WARN_ON(ses->chan_count < 1); 662 spin_unlock(&ses->chan_lock); 663 } 664 665 kfree(ctx->UNC); 666 out_free_ctx: 667 kfree(ctx); 668 out_free_xid: 669 free_xid(xid); 670 return rc; 671 } 672 673 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 674 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 675 struct TCP_Server_Info *server, 676 SESSION_SETUP_ANDX *pSMB) 677 { 678 __u32 capabilities = 0; 679 680 /* init fields common to all four types of SessSetup */ 681 /* Note that offsets for first seven fields in req struct are same */ 682 /* in CIFS Specs so does not matter which of 3 forms of struct */ 683 /* that we use in next few lines */ 684 /* Note that header is initialized to zero in header_assemble */ 685 pSMB->req.AndXCommand = 0xFF; 686 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 687 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 688 USHRT_MAX)); 689 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 690 pSMB->req.VcNumber = cpu_to_le16(1); 691 692 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 693 694 /* BB verify whether signing required on neg or just on auth frame 695 (and NTLM case) */ 696 697 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 698 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 699 700 if (server->sign) 701 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 702 703 if (ses->capabilities & CAP_UNICODE) { 704 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 705 capabilities |= CAP_UNICODE; 706 } 707 if (ses->capabilities & CAP_STATUS32) { 708 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 709 capabilities |= CAP_STATUS32; 710 } 711 if (ses->capabilities & CAP_DFS) { 712 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 713 capabilities |= CAP_DFS; 714 } 715 if (ses->capabilities & CAP_UNIX) 716 capabilities |= CAP_UNIX; 717 718 return capabilities; 719 } 720 721 static void 722 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 723 { 724 char *bcc_ptr = *pbcc_area; 725 int bytes_ret = 0; 726 727 /* Copy OS version */ 728 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 729 nls_cp); 730 bcc_ptr += 2 * bytes_ret; 731 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 732 32, nls_cp); 733 bcc_ptr += 2 * bytes_ret; 734 bcc_ptr += 2; /* trailing null */ 735 736 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 737 32, nls_cp); 738 bcc_ptr += 2 * bytes_ret; 739 bcc_ptr += 2; /* trailing null */ 740 741 *pbcc_area = bcc_ptr; 742 } 743 744 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 745 const struct nls_table *nls_cp) 746 { 747 char *bcc_ptr = *pbcc_area; 748 int bytes_ret = 0; 749 750 /* copy domain */ 751 if (ses->domainName == NULL) { 752 /* Sending null domain better than using a bogus domain name (as 753 we did briefly in 2.6.18) since server will use its default */ 754 *bcc_ptr = 0; 755 *(bcc_ptr+1) = 0; 756 bytes_ret = 0; 757 } else 758 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 759 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 760 bcc_ptr += 2 * bytes_ret; 761 bcc_ptr += 2; /* account for null terminator */ 762 763 *pbcc_area = bcc_ptr; 764 } 765 766 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 767 const struct nls_table *nls_cp) 768 { 769 char *bcc_ptr = *pbcc_area; 770 int bytes_ret = 0; 771 772 /* BB FIXME add check that strings total less 773 than 335 or will need to send them as arrays */ 774 775 /* copy user */ 776 if (ses->user_name == NULL) { 777 /* null user mount */ 778 *bcc_ptr = 0; 779 *(bcc_ptr+1) = 0; 780 } else { 781 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 782 CIFS_MAX_USERNAME_LEN, nls_cp); 783 } 784 bcc_ptr += 2 * bytes_ret; 785 bcc_ptr += 2; /* account for null termination */ 786 787 unicode_domain_string(&bcc_ptr, ses, nls_cp); 788 unicode_oslm_strings(&bcc_ptr, nls_cp); 789 790 *pbcc_area = bcc_ptr; 791 } 792 793 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 794 const struct nls_table *nls_cp) 795 { 796 char *bcc_ptr = *pbcc_area; 797 int len; 798 799 /* copy user */ 800 /* BB what about null user mounts - check that we do this BB */ 801 /* copy user */ 802 if (ses->user_name != NULL) { 803 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 804 if (WARN_ON_ONCE(len < 0)) 805 len = CIFS_MAX_USERNAME_LEN - 1; 806 bcc_ptr += len; 807 } 808 /* else null user mount */ 809 *bcc_ptr = 0; 810 bcc_ptr++; /* account for null termination */ 811 812 /* copy domain */ 813 if (ses->domainName != NULL) { 814 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 815 if (WARN_ON_ONCE(len < 0)) 816 len = CIFS_MAX_DOMAINNAME_LEN - 1; 817 bcc_ptr += len; 818 } /* else we will send a null domain name 819 so the server will default to its own domain */ 820 *bcc_ptr = 0; 821 bcc_ptr++; 822 823 /* BB check for overflow here */ 824 825 strcpy(bcc_ptr, "Linux version "); 826 bcc_ptr += strlen("Linux version "); 827 strcpy(bcc_ptr, init_utsname()->release); 828 bcc_ptr += strlen(init_utsname()->release) + 1; 829 830 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 831 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 832 833 *pbcc_area = bcc_ptr; 834 } 835 836 static void 837 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 838 const struct nls_table *nls_cp) 839 { 840 int len; 841 char *data = *pbcc_area; 842 843 cifs_dbg(FYI, "bleft %d\n", bleft); 844 845 kfree(ses->serverOS); 846 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 847 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 848 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 849 data += len; 850 bleft -= len; 851 if (bleft <= 0) 852 return; 853 854 kfree(ses->serverNOS); 855 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 856 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 857 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 858 data += len; 859 bleft -= len; 860 if (bleft <= 0) 861 return; 862 863 kfree(ses->serverDomain); 864 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 865 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 866 867 return; 868 } 869 870 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 871 struct cifs_ses *ses, 872 const struct nls_table *nls_cp) 873 { 874 int len; 875 char *bcc_ptr = *pbcc_area; 876 877 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 878 879 len = strnlen(bcc_ptr, bleft); 880 if (len >= bleft) 881 return; 882 883 kfree(ses->serverOS); 884 885 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 886 if (ses->serverOS) { 887 memcpy(ses->serverOS, bcc_ptr, len); 888 ses->serverOS[len] = 0; 889 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 890 cifs_dbg(FYI, "OS/2 server\n"); 891 } 892 893 bcc_ptr += len + 1; 894 bleft -= len + 1; 895 896 len = strnlen(bcc_ptr, bleft); 897 if (len >= bleft) 898 return; 899 900 kfree(ses->serverNOS); 901 902 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 903 if (ses->serverNOS) { 904 memcpy(ses->serverNOS, bcc_ptr, len); 905 ses->serverNOS[len] = 0; 906 } 907 908 bcc_ptr += len + 1; 909 bleft -= len + 1; 910 911 len = strnlen(bcc_ptr, bleft); 912 if (len > bleft) 913 return; 914 915 /* No domain field in LANMAN case. Domain is 916 returned by old servers in the SMB negprot response */ 917 /* BB For newer servers which do not support Unicode, 918 but thus do return domain here we could add parsing 919 for it later, but it is not very important */ 920 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 921 } 922 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 923 924 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 925 struct cifs_ses *ses) 926 { 927 unsigned int tioffset; /* challenge message target info area */ 928 unsigned int tilen; /* challenge message target info area length */ 929 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 930 __u32 server_flags; 931 932 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 933 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 934 return -EINVAL; 935 } 936 937 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 938 cifs_dbg(VFS, "blob signature incorrect %s\n", 939 pblob->Signature); 940 return -EINVAL; 941 } 942 if (pblob->MessageType != NtLmChallenge) { 943 cifs_dbg(VFS, "Incorrect message type %d\n", 944 pblob->MessageType); 945 return -EINVAL; 946 } 947 948 server_flags = le32_to_cpu(pblob->NegotiateFlags); 949 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 950 ses->ntlmssp->client_flags, server_flags); 951 952 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 953 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 954 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 955 __func__); 956 return -EINVAL; 957 } 958 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 959 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 960 return -EINVAL; 961 } 962 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 963 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 964 __func__); 965 return -EOPNOTSUPP; 966 } 967 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 968 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 969 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 970 __func__); 971 972 ses->ntlmssp->server_flags = server_flags; 973 974 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 975 /* In particular we can examine sign flags */ 976 /* BB spec says that if AvId field of MsvAvTimestamp is populated then 977 we must set the MIC field of the AUTHENTICATE_MESSAGE */ 978 979 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 980 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 981 if (tioffset > blob_len || tioffset + tilen > blob_len) { 982 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 983 tioffset, tilen); 984 return -EINVAL; 985 } 986 if (tilen) { 987 kfree_sensitive(ses->auth_key.response); 988 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 989 GFP_KERNEL); 990 if (!ses->auth_key.response) { 991 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 992 return -ENOMEM; 993 } 994 ses->auth_key.len = tilen; 995 } 996 997 return 0; 998 } 999 1000 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 1001 { 1002 int sz = base_size + ses->auth_key.len 1003 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 1004 1005 if (ses->domainName) 1006 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 1007 else 1008 sz += sizeof(__le16); 1009 1010 if (ses->user_name) 1011 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 1012 else 1013 sz += sizeof(__le16); 1014 1015 if (ses->workstation_name[0]) 1016 sz += sizeof(__le16) * strnlen(ses->workstation_name, 1017 ntlmssp_workstation_name_size(ses)); 1018 else 1019 sz += sizeof(__le16); 1020 1021 return sz; 1022 } 1023 1024 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 1025 char *str_value, 1026 int str_length, 1027 unsigned char *pstart, 1028 unsigned char **pcur, 1029 const struct nls_table *nls_cp) 1030 { 1031 unsigned char *tmp = pstart; 1032 int len; 1033 1034 if (!pbuf) 1035 return; 1036 1037 if (!pcur) 1038 pcur = &tmp; 1039 1040 if (!str_value) { 1041 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1042 pbuf->Length = 0; 1043 pbuf->MaximumLength = 0; 1044 *pcur += sizeof(__le16); 1045 } else { 1046 len = cifs_strtoUTF16((__le16 *)*pcur, 1047 str_value, 1048 str_length, 1049 nls_cp); 1050 len *= sizeof(__le16); 1051 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1052 pbuf->Length = cpu_to_le16(len); 1053 pbuf->MaximumLength = cpu_to_le16(len); 1054 *pcur += len; 1055 } 1056 } 1057 1058 /* BB Move to ntlmssp.c eventually */ 1059 1060 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 1061 u16 *buflen, 1062 struct cifs_ses *ses, 1063 struct TCP_Server_Info *server, 1064 const struct nls_table *nls_cp) 1065 { 1066 int rc = 0; 1067 NEGOTIATE_MESSAGE *sec_blob; 1068 __u32 flags; 1069 unsigned char *tmp; 1070 int len; 1071 1072 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 1073 *pbuffer = kmalloc(len, GFP_KERNEL); 1074 if (!*pbuffer) { 1075 rc = -ENOMEM; 1076 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1077 *buflen = 0; 1078 goto setup_ntlm_neg_ret; 1079 } 1080 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 1081 1082 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 1083 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1084 sec_blob->MessageType = NtLmNegotiate; 1085 1086 /* BB is NTLMV2 session security format easier to use here? */ 1087 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1088 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1089 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1090 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1091 NTLMSSP_NEGOTIATE_SIGN; 1092 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1093 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1094 1095 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 1096 ses->ntlmssp->client_flags = flags; 1097 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1098 1099 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1100 cifs_security_buffer_from_str(&sec_blob->DomainName, 1101 NULL, 1102 CIFS_MAX_DOMAINNAME_LEN, 1103 *pbuffer, &tmp, 1104 nls_cp); 1105 1106 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1107 NULL, 1108 CIFS_MAX_WORKSTATION_LEN, 1109 *pbuffer, &tmp, 1110 nls_cp); 1111 1112 *buflen = tmp - *pbuffer; 1113 setup_ntlm_neg_ret: 1114 return rc; 1115 } 1116 1117 /* 1118 * Build ntlmssp blob with additional fields, such as version, 1119 * supported by modern servers. For safety limit to SMB3 or later 1120 * See notes in MS-NLMP Section 2.2.2.1 e.g. 1121 */ 1122 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 1123 u16 *buflen, 1124 struct cifs_ses *ses, 1125 struct TCP_Server_Info *server, 1126 const struct nls_table *nls_cp) 1127 { 1128 int rc = 0; 1129 struct negotiate_message *sec_blob; 1130 __u32 flags; 1131 unsigned char *tmp; 1132 int len; 1133 1134 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 1135 *pbuffer = kmalloc(len, GFP_KERNEL); 1136 if (!*pbuffer) { 1137 rc = -ENOMEM; 1138 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1139 *buflen = 0; 1140 goto setup_ntlm_smb3_neg_ret; 1141 } 1142 sec_blob = (struct negotiate_message *)*pbuffer; 1143 1144 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 1145 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1146 sec_blob->MessageType = NtLmNegotiate; 1147 1148 /* BB is NTLMV2 session security format easier to use here? */ 1149 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1150 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1151 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1152 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1153 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 1154 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1155 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1156 1157 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1158 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1159 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1160 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1161 1162 tmp = *pbuffer + sizeof(struct negotiate_message); 1163 ses->ntlmssp->client_flags = flags; 1164 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1165 1166 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1167 cifs_security_buffer_from_str(&sec_blob->DomainName, 1168 NULL, 1169 CIFS_MAX_DOMAINNAME_LEN, 1170 *pbuffer, &tmp, 1171 nls_cp); 1172 1173 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1174 NULL, 1175 CIFS_MAX_WORKSTATION_LEN, 1176 *pbuffer, &tmp, 1177 nls_cp); 1178 1179 *buflen = tmp - *pbuffer; 1180 setup_ntlm_smb3_neg_ret: 1181 return rc; 1182 } 1183 1184 1185 /* See MS-NLMP 2.2.1.3 */ 1186 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1187 u16 *buflen, 1188 struct cifs_ses *ses, 1189 struct TCP_Server_Info *server, 1190 const struct nls_table *nls_cp) 1191 { 1192 int rc; 1193 AUTHENTICATE_MESSAGE *sec_blob; 1194 __u32 flags; 1195 unsigned char *tmp; 1196 int len; 1197 1198 rc = setup_ntlmv2_rsp(ses, nls_cp); 1199 if (rc) { 1200 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1201 *buflen = 0; 1202 goto setup_ntlmv2_ret; 1203 } 1204 1205 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1206 *pbuffer = kmalloc(len, GFP_KERNEL); 1207 if (!*pbuffer) { 1208 rc = -ENOMEM; 1209 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1210 *buflen = 0; 1211 goto setup_ntlmv2_ret; 1212 } 1213 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1214 1215 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1216 sec_blob->MessageType = NtLmAuthenticate; 1217 1218 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1219 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1220 /* we only send version information in ntlmssp negotiate, so do not set this flag */ 1221 flags = flags & ~NTLMSSP_NEGOTIATE_VERSION; 1222 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1223 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1224 1225 sec_blob->LmChallengeResponse.BufferOffset = 1226 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1227 sec_blob->LmChallengeResponse.Length = 0; 1228 sec_blob->LmChallengeResponse.MaximumLength = 0; 1229 1230 sec_blob->NtChallengeResponse.BufferOffset = 1231 cpu_to_le32(tmp - *pbuffer); 1232 if (ses->user_name != NULL) { 1233 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1234 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1235 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1236 1237 sec_blob->NtChallengeResponse.Length = 1238 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1239 sec_blob->NtChallengeResponse.MaximumLength = 1240 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1241 } else { 1242 /* 1243 * don't send an NT Response for anonymous access 1244 */ 1245 sec_blob->NtChallengeResponse.Length = 0; 1246 sec_blob->NtChallengeResponse.MaximumLength = 0; 1247 } 1248 1249 cifs_security_buffer_from_str(&sec_blob->DomainName, 1250 ses->domainName, 1251 CIFS_MAX_DOMAINNAME_LEN, 1252 *pbuffer, &tmp, 1253 nls_cp); 1254 1255 cifs_security_buffer_from_str(&sec_blob->UserName, 1256 ses->user_name, 1257 CIFS_MAX_USERNAME_LEN, 1258 *pbuffer, &tmp, 1259 nls_cp); 1260 1261 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1262 ses->workstation_name, 1263 ntlmssp_workstation_name_size(ses), 1264 *pbuffer, &tmp, 1265 nls_cp); 1266 1267 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1268 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1269 !calc_seckey(ses)) { 1270 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1271 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1272 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1273 sec_blob->SessionKey.MaximumLength = 1274 cpu_to_le16(CIFS_CPHTXT_SIZE); 1275 tmp += CIFS_CPHTXT_SIZE; 1276 } else { 1277 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1278 sec_blob->SessionKey.Length = 0; 1279 sec_blob->SessionKey.MaximumLength = 0; 1280 } 1281 1282 *buflen = tmp - *pbuffer; 1283 setup_ntlmv2_ret: 1284 return rc; 1285 } 1286 1287 enum securityEnum 1288 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1289 { 1290 switch (server->negflavor) { 1291 case CIFS_NEGFLAVOR_EXTENDED: 1292 switch (requested) { 1293 case Kerberos: 1294 case RawNTLMSSP: 1295 return requested; 1296 case Unspecified: 1297 if (server->sec_ntlmssp && 1298 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1299 return RawNTLMSSP; 1300 if ((server->sec_kerberos || server->sec_mskerberos) && 1301 (global_secflags & CIFSSEC_MAY_KRB5)) 1302 return Kerberos; 1303 fallthrough; 1304 default: 1305 return Unspecified; 1306 } 1307 case CIFS_NEGFLAVOR_UNENCAP: 1308 switch (requested) { 1309 case NTLMv2: 1310 return requested; 1311 case Unspecified: 1312 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1313 return NTLMv2; 1314 break; 1315 default: 1316 break; 1317 } 1318 fallthrough; 1319 default: 1320 return Unspecified; 1321 } 1322 } 1323 1324 struct sess_data { 1325 unsigned int xid; 1326 struct cifs_ses *ses; 1327 struct TCP_Server_Info *server; 1328 struct nls_table *nls_cp; 1329 void (*func)(struct sess_data *); 1330 int result; 1331 1332 /* we will send the SMB in three pieces: 1333 * a fixed length beginning part, an optional 1334 * SPNEGO blob (which can be zero length), and a 1335 * last part which will include the strings 1336 * and rest of bcc area. This allows us to avoid 1337 * a large buffer 17K allocation 1338 */ 1339 int buf0_type; 1340 struct kvec iov[3]; 1341 }; 1342 1343 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1344 static int 1345 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1346 { 1347 int rc; 1348 struct cifs_ses *ses = sess_data->ses; 1349 struct smb_hdr *smb_buf; 1350 1351 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1352 (void **)&smb_buf); 1353 1354 if (rc) 1355 return rc; 1356 1357 sess_data->iov[0].iov_base = (char *)smb_buf; 1358 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1359 /* 1360 * This variable will be used to clear the buffer 1361 * allocated above in case of any error in the calling function. 1362 */ 1363 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1364 1365 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1366 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1367 if (!sess_data->iov[2].iov_base) { 1368 rc = -ENOMEM; 1369 goto out_free_smb_buf; 1370 } 1371 1372 return 0; 1373 1374 out_free_smb_buf: 1375 cifs_small_buf_release(smb_buf); 1376 sess_data->iov[0].iov_base = NULL; 1377 sess_data->iov[0].iov_len = 0; 1378 sess_data->buf0_type = CIFS_NO_BUFFER; 1379 return rc; 1380 } 1381 1382 static void 1383 sess_free_buffer(struct sess_data *sess_data) 1384 { 1385 struct kvec *iov = sess_data->iov; 1386 1387 /* 1388 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1389 * Note that iov[1] is already freed by caller. 1390 */ 1391 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1392 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1393 1394 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1395 sess_data->buf0_type = CIFS_NO_BUFFER; 1396 kfree_sensitive(iov[2].iov_base); 1397 } 1398 1399 static int 1400 sess_establish_session(struct sess_data *sess_data) 1401 { 1402 struct cifs_ses *ses = sess_data->ses; 1403 struct TCP_Server_Info *server = sess_data->server; 1404 1405 cifs_server_lock(server); 1406 if (!server->session_estab) { 1407 if (server->sign) { 1408 server->session_key.response = 1409 kmemdup(ses->auth_key.response, 1410 ses->auth_key.len, GFP_KERNEL); 1411 if (!server->session_key.response) { 1412 cifs_server_unlock(server); 1413 return -ENOMEM; 1414 } 1415 server->session_key.len = 1416 ses->auth_key.len; 1417 } 1418 server->sequence_number = 0x2; 1419 server->session_estab = true; 1420 } 1421 cifs_server_unlock(server); 1422 1423 cifs_dbg(FYI, "CIFS session established successfully\n"); 1424 return 0; 1425 } 1426 1427 static int 1428 sess_sendreceive(struct sess_data *sess_data) 1429 { 1430 int rc; 1431 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1432 __u16 count; 1433 struct kvec rsp_iov = { NULL, 0 }; 1434 1435 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1436 be32_add_cpu(&smb_buf->smb_buf_length, count); 1437 put_bcc(count, smb_buf); 1438 1439 rc = SendReceive2(sess_data->xid, sess_data->ses, 1440 sess_data->iov, 3 /* num_iovecs */, 1441 &sess_data->buf0_type, 1442 CIFS_LOG_ERROR, &rsp_iov); 1443 cifs_small_buf_release(sess_data->iov[0].iov_base); 1444 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1445 1446 return rc; 1447 } 1448 1449 static void 1450 sess_auth_ntlmv2(struct sess_data *sess_data) 1451 { 1452 int rc = 0; 1453 struct smb_hdr *smb_buf; 1454 SESSION_SETUP_ANDX *pSMB; 1455 char *bcc_ptr; 1456 struct cifs_ses *ses = sess_data->ses; 1457 struct TCP_Server_Info *server = sess_data->server; 1458 __u32 capabilities; 1459 __u16 bytes_remaining; 1460 1461 /* old style NTLM sessionsetup */ 1462 /* wct = 13 */ 1463 rc = sess_alloc_buffer(sess_data, 13); 1464 if (rc) 1465 goto out; 1466 1467 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1468 bcc_ptr = sess_data->iov[2].iov_base; 1469 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1470 1471 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1472 1473 /* LM2 password would be here if we supported it */ 1474 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1475 1476 if (ses->user_name != NULL) { 1477 /* calculate nlmv2 response and session key */ 1478 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1479 if (rc) { 1480 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1481 goto out; 1482 } 1483 1484 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1485 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1486 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1487 1488 /* set case sensitive password length after tilen may get 1489 * assigned, tilen is 0 otherwise. 1490 */ 1491 pSMB->req_no_secext.CaseSensitivePasswordLength = 1492 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1493 } else { 1494 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1495 } 1496 1497 if (ses->capabilities & CAP_UNICODE) { 1498 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1499 *bcc_ptr = 0; 1500 bcc_ptr++; 1501 } 1502 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1503 } else { 1504 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1505 } 1506 1507 1508 sess_data->iov[2].iov_len = (long) bcc_ptr - 1509 (long) sess_data->iov[2].iov_base; 1510 1511 rc = sess_sendreceive(sess_data); 1512 if (rc) 1513 goto out; 1514 1515 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1516 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1517 1518 if (smb_buf->WordCount != 3) { 1519 rc = -EIO; 1520 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1521 goto out; 1522 } 1523 1524 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1525 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1526 1527 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1528 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1529 1530 bytes_remaining = get_bcc(smb_buf); 1531 bcc_ptr = pByteArea(smb_buf); 1532 1533 /* BB check if Unicode and decode strings */ 1534 if (bytes_remaining == 0) { 1535 /* no string area to decode, do nothing */ 1536 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1537 /* unicode string area must be word-aligned */ 1538 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1539 ++bcc_ptr; 1540 --bytes_remaining; 1541 } 1542 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1543 sess_data->nls_cp); 1544 } else { 1545 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1546 sess_data->nls_cp); 1547 } 1548 1549 rc = sess_establish_session(sess_data); 1550 out: 1551 sess_data->result = rc; 1552 sess_data->func = NULL; 1553 sess_free_buffer(sess_data); 1554 kfree_sensitive(ses->auth_key.response); 1555 ses->auth_key.response = NULL; 1556 } 1557 1558 #ifdef CONFIG_CIFS_UPCALL 1559 static void 1560 sess_auth_kerberos(struct sess_data *sess_data) 1561 { 1562 int rc = 0; 1563 struct smb_hdr *smb_buf; 1564 SESSION_SETUP_ANDX *pSMB; 1565 char *bcc_ptr; 1566 struct cifs_ses *ses = sess_data->ses; 1567 struct TCP_Server_Info *server = sess_data->server; 1568 __u32 capabilities; 1569 __u16 bytes_remaining; 1570 struct key *spnego_key = NULL; 1571 struct cifs_spnego_msg *msg; 1572 u16 blob_len; 1573 1574 /* extended security */ 1575 /* wct = 12 */ 1576 rc = sess_alloc_buffer(sess_data, 12); 1577 if (rc) 1578 goto out; 1579 1580 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1581 bcc_ptr = sess_data->iov[2].iov_base; 1582 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1583 1584 spnego_key = cifs_get_spnego_key(ses, server); 1585 if (IS_ERR(spnego_key)) { 1586 rc = PTR_ERR(spnego_key); 1587 spnego_key = NULL; 1588 goto out; 1589 } 1590 1591 msg = spnego_key->payload.data[0]; 1592 /* 1593 * check version field to make sure that cifs.upcall is 1594 * sending us a response in an expected form 1595 */ 1596 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1597 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1598 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1599 rc = -EKEYREJECTED; 1600 goto out_put_spnego_key; 1601 } 1602 1603 kfree_sensitive(ses->auth_key.response); 1604 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1605 GFP_KERNEL); 1606 if (!ses->auth_key.response) { 1607 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1608 msg->sesskey_len); 1609 rc = -ENOMEM; 1610 goto out_put_spnego_key; 1611 } 1612 ses->auth_key.len = msg->sesskey_len; 1613 1614 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1615 capabilities |= CAP_EXTENDED_SECURITY; 1616 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1617 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1618 sess_data->iov[1].iov_len = msg->secblob_len; 1619 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1620 1621 if (ses->capabilities & CAP_UNICODE) { 1622 /* unicode strings must be word aligned */ 1623 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1624 *bcc_ptr = 0; 1625 bcc_ptr++; 1626 } 1627 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1628 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1629 } else { 1630 /* BB: is this right? */ 1631 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1632 } 1633 1634 sess_data->iov[2].iov_len = (long) bcc_ptr - 1635 (long) sess_data->iov[2].iov_base; 1636 1637 rc = sess_sendreceive(sess_data); 1638 if (rc) 1639 goto out_put_spnego_key; 1640 1641 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1642 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1643 1644 if (smb_buf->WordCount != 4) { 1645 rc = -EIO; 1646 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1647 goto out_put_spnego_key; 1648 } 1649 1650 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1651 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1652 1653 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1654 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1655 1656 bytes_remaining = get_bcc(smb_buf); 1657 bcc_ptr = pByteArea(smb_buf); 1658 1659 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1660 if (blob_len > bytes_remaining) { 1661 cifs_dbg(VFS, "bad security blob length %d\n", 1662 blob_len); 1663 rc = -EINVAL; 1664 goto out_put_spnego_key; 1665 } 1666 bcc_ptr += blob_len; 1667 bytes_remaining -= blob_len; 1668 1669 /* BB check if Unicode and decode strings */ 1670 if (bytes_remaining == 0) { 1671 /* no string area to decode, do nothing */ 1672 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1673 /* unicode string area must be word-aligned */ 1674 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1675 ++bcc_ptr; 1676 --bytes_remaining; 1677 } 1678 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1679 sess_data->nls_cp); 1680 } else { 1681 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1682 sess_data->nls_cp); 1683 } 1684 1685 rc = sess_establish_session(sess_data); 1686 out_put_spnego_key: 1687 key_invalidate(spnego_key); 1688 key_put(spnego_key); 1689 out: 1690 sess_data->result = rc; 1691 sess_data->func = NULL; 1692 sess_free_buffer(sess_data); 1693 kfree_sensitive(ses->auth_key.response); 1694 ses->auth_key.response = NULL; 1695 } 1696 1697 #endif /* ! CONFIG_CIFS_UPCALL */ 1698 1699 /* 1700 * The required kvec buffers have to be allocated before calling this 1701 * function. 1702 */ 1703 static int 1704 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1705 { 1706 SESSION_SETUP_ANDX *pSMB; 1707 struct cifs_ses *ses = sess_data->ses; 1708 struct TCP_Server_Info *server = sess_data->server; 1709 __u32 capabilities; 1710 char *bcc_ptr; 1711 1712 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1713 1714 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1715 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1716 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1717 return -ENOSYS; 1718 } 1719 1720 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1721 capabilities |= CAP_EXTENDED_SECURITY; 1722 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1723 1724 bcc_ptr = sess_data->iov[2].iov_base; 1725 /* unicode strings must be word aligned */ 1726 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1727 *bcc_ptr = 0; 1728 bcc_ptr++; 1729 } 1730 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1731 1732 sess_data->iov[2].iov_len = (long) bcc_ptr - 1733 (long) sess_data->iov[2].iov_base; 1734 1735 return 0; 1736 } 1737 1738 static void 1739 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1740 1741 static void 1742 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1743 { 1744 int rc; 1745 struct smb_hdr *smb_buf; 1746 SESSION_SETUP_ANDX *pSMB; 1747 struct cifs_ses *ses = sess_data->ses; 1748 struct TCP_Server_Info *server = sess_data->server; 1749 __u16 bytes_remaining; 1750 char *bcc_ptr; 1751 unsigned char *ntlmsspblob = NULL; 1752 u16 blob_len; 1753 1754 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1755 1756 /* 1757 * if memory allocation is successful, caller of this function 1758 * frees it. 1759 */ 1760 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1761 if (!ses->ntlmssp) { 1762 rc = -ENOMEM; 1763 goto out; 1764 } 1765 ses->ntlmssp->sesskey_per_smbsess = false; 1766 1767 /* wct = 12 */ 1768 rc = sess_alloc_buffer(sess_data, 12); 1769 if (rc) 1770 goto out; 1771 1772 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1773 1774 /* Build security blob before we assemble the request */ 1775 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1776 &blob_len, ses, server, 1777 sess_data->nls_cp); 1778 if (rc) 1779 goto out_free_ntlmsspblob; 1780 1781 sess_data->iov[1].iov_len = blob_len; 1782 sess_data->iov[1].iov_base = ntlmsspblob; 1783 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1784 1785 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1786 if (rc) 1787 goto out_free_ntlmsspblob; 1788 1789 rc = sess_sendreceive(sess_data); 1790 1791 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1792 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1793 1794 /* If true, rc here is expected and not an error */ 1795 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1796 smb_buf->Status.CifsError == 1797 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1798 rc = 0; 1799 1800 if (rc) 1801 goto out_free_ntlmsspblob; 1802 1803 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1804 1805 if (smb_buf->WordCount != 4) { 1806 rc = -EIO; 1807 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1808 goto out_free_ntlmsspblob; 1809 } 1810 1811 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1812 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1813 1814 bytes_remaining = get_bcc(smb_buf); 1815 bcc_ptr = pByteArea(smb_buf); 1816 1817 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1818 if (blob_len > bytes_remaining) { 1819 cifs_dbg(VFS, "bad security blob length %d\n", 1820 blob_len); 1821 rc = -EINVAL; 1822 goto out_free_ntlmsspblob; 1823 } 1824 1825 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1826 1827 out_free_ntlmsspblob: 1828 kfree_sensitive(ntlmsspblob); 1829 out: 1830 sess_free_buffer(sess_data); 1831 1832 if (!rc) { 1833 sess_data->func = sess_auth_rawntlmssp_authenticate; 1834 return; 1835 } 1836 1837 /* Else error. Cleanup */ 1838 kfree_sensitive(ses->auth_key.response); 1839 ses->auth_key.response = NULL; 1840 kfree_sensitive(ses->ntlmssp); 1841 ses->ntlmssp = NULL; 1842 1843 sess_data->func = NULL; 1844 sess_data->result = rc; 1845 } 1846 1847 static void 1848 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1849 { 1850 int rc; 1851 struct smb_hdr *smb_buf; 1852 SESSION_SETUP_ANDX *pSMB; 1853 struct cifs_ses *ses = sess_data->ses; 1854 struct TCP_Server_Info *server = sess_data->server; 1855 __u16 bytes_remaining; 1856 char *bcc_ptr; 1857 unsigned char *ntlmsspblob = NULL; 1858 u16 blob_len; 1859 1860 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1861 1862 /* wct = 12 */ 1863 rc = sess_alloc_buffer(sess_data, 12); 1864 if (rc) 1865 goto out; 1866 1867 /* Build security blob before we assemble the request */ 1868 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1869 smb_buf = (struct smb_hdr *)pSMB; 1870 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1871 &blob_len, ses, server, 1872 sess_data->nls_cp); 1873 if (rc) 1874 goto out_free_ntlmsspblob; 1875 sess_data->iov[1].iov_len = blob_len; 1876 sess_data->iov[1].iov_base = ntlmsspblob; 1877 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1878 /* 1879 * Make sure that we tell the server that we are using 1880 * the uid that it just gave us back on the response 1881 * (challenge) 1882 */ 1883 smb_buf->Uid = ses->Suid; 1884 1885 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1886 if (rc) 1887 goto out_free_ntlmsspblob; 1888 1889 rc = sess_sendreceive(sess_data); 1890 if (rc) 1891 goto out_free_ntlmsspblob; 1892 1893 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1894 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1895 if (smb_buf->WordCount != 4) { 1896 rc = -EIO; 1897 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1898 goto out_free_ntlmsspblob; 1899 } 1900 1901 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1902 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1903 1904 if (ses->Suid != smb_buf->Uid) { 1905 ses->Suid = smb_buf->Uid; 1906 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1907 } 1908 1909 bytes_remaining = get_bcc(smb_buf); 1910 bcc_ptr = pByteArea(smb_buf); 1911 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1912 if (blob_len > bytes_remaining) { 1913 cifs_dbg(VFS, "bad security blob length %d\n", 1914 blob_len); 1915 rc = -EINVAL; 1916 goto out_free_ntlmsspblob; 1917 } 1918 bcc_ptr += blob_len; 1919 bytes_remaining -= blob_len; 1920 1921 1922 /* BB check if Unicode and decode strings */ 1923 if (bytes_remaining == 0) { 1924 /* no string area to decode, do nothing */ 1925 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1926 /* unicode string area must be word-aligned */ 1927 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1928 ++bcc_ptr; 1929 --bytes_remaining; 1930 } 1931 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1932 sess_data->nls_cp); 1933 } else { 1934 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1935 sess_data->nls_cp); 1936 } 1937 1938 out_free_ntlmsspblob: 1939 kfree_sensitive(ntlmsspblob); 1940 out: 1941 sess_free_buffer(sess_data); 1942 1943 if (!rc) 1944 rc = sess_establish_session(sess_data); 1945 1946 /* Cleanup */ 1947 kfree_sensitive(ses->auth_key.response); 1948 ses->auth_key.response = NULL; 1949 kfree_sensitive(ses->ntlmssp); 1950 ses->ntlmssp = NULL; 1951 1952 sess_data->func = NULL; 1953 sess_data->result = rc; 1954 } 1955 1956 static int select_sec(struct sess_data *sess_data) 1957 { 1958 int type; 1959 struct cifs_ses *ses = sess_data->ses; 1960 struct TCP_Server_Info *server = sess_data->server; 1961 1962 type = cifs_select_sectype(server, ses->sectype); 1963 cifs_dbg(FYI, "sess setup type %d\n", type); 1964 if (type == Unspecified) { 1965 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1966 return -EINVAL; 1967 } 1968 1969 switch (type) { 1970 case NTLMv2: 1971 sess_data->func = sess_auth_ntlmv2; 1972 break; 1973 case Kerberos: 1974 #ifdef CONFIG_CIFS_UPCALL 1975 sess_data->func = sess_auth_kerberos; 1976 break; 1977 #else 1978 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1979 return -ENOSYS; 1980 #endif /* CONFIG_CIFS_UPCALL */ 1981 case RawNTLMSSP: 1982 sess_data->func = sess_auth_rawntlmssp_negotiate; 1983 break; 1984 default: 1985 cifs_dbg(VFS, "secType %d not supported!\n", type); 1986 return -ENOSYS; 1987 } 1988 1989 return 0; 1990 } 1991 1992 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1993 struct TCP_Server_Info *server, 1994 const struct nls_table *nls_cp) 1995 { 1996 int rc = 0; 1997 struct sess_data *sess_data; 1998 1999 if (ses == NULL) { 2000 WARN(1, "%s: ses == NULL!", __func__); 2001 return -EINVAL; 2002 } 2003 2004 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 2005 if (!sess_data) 2006 return -ENOMEM; 2007 2008 sess_data->xid = xid; 2009 sess_data->ses = ses; 2010 sess_data->server = server; 2011 sess_data->buf0_type = CIFS_NO_BUFFER; 2012 sess_data->nls_cp = (struct nls_table *) nls_cp; 2013 2014 rc = select_sec(sess_data); 2015 if (rc) 2016 goto out; 2017 2018 while (sess_data->func) 2019 sess_data->func(sess_data); 2020 2021 /* Store result before we free sess_data */ 2022 rc = sess_data->result; 2023 2024 out: 2025 kfree_sensitive(sess_data); 2026 return rc; 2027 } 2028 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 2029