1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool 31 is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33 { 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53 } 54 55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56 { 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68 } 69 70 /* channel helper functions. assumed that chan_lock is held by caller. */ 71 72 unsigned int 73 cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75 { 76 unsigned int i; 77 78 for (i = 0; i < ses->chan_count; i++) { 79 if (ses->chans[i].server == server) 80 return i; 81 } 82 83 /* If we didn't find the channel, it is likely a bug */ 84 if (server) 85 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 86 server->conn_id); 87 WARN_ON(1); 88 return 0; 89 } 90 91 void 92 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 93 struct TCP_Server_Info *server) 94 { 95 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 96 97 ses->chans[chan_index].in_reconnect = true; 98 } 99 100 void 101 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 102 struct TCP_Server_Info *server) 103 { 104 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 105 106 ses->chans[chan_index].in_reconnect = false; 107 } 108 109 bool 110 cifs_chan_in_reconnect(struct cifs_ses *ses, 111 struct TCP_Server_Info *server) 112 { 113 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 114 115 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 116 } 117 118 void 119 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 120 struct TCP_Server_Info *server) 121 { 122 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 123 124 set_bit(chan_index, &ses->chans_need_reconnect); 125 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 126 chan_index, ses->chans_need_reconnect); 127 } 128 129 void 130 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 131 struct TCP_Server_Info *server) 132 { 133 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 134 135 clear_bit(chan_index, &ses->chans_need_reconnect); 136 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 137 chan_index, ses->chans_need_reconnect); 138 } 139 140 bool 141 cifs_chan_needs_reconnect(struct cifs_ses *ses, 142 struct TCP_Server_Info *server) 143 { 144 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 145 146 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 147 } 148 149 bool 150 cifs_chan_is_iface_active(struct cifs_ses *ses, 151 struct TCP_Server_Info *server) 152 { 153 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 154 155 return ses->chans[chan_index].iface && 156 ses->chans[chan_index].iface->is_active; 157 } 158 159 /* returns number of channels added */ 160 int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses) 161 { 162 struct TCP_Server_Info *server = ses->server; 163 int old_chan_count, new_chan_count; 164 int left; 165 int rc = 0; 166 int tries = 0; 167 struct cifs_server_iface *iface = NULL, *niface = NULL; 168 169 spin_lock(&ses->chan_lock); 170 171 new_chan_count = old_chan_count = ses->chan_count; 172 left = ses->chan_max - ses->chan_count; 173 174 if (left <= 0) { 175 spin_unlock(&ses->chan_lock); 176 cifs_dbg(FYI, 177 "ses already at max_channels (%zu), nothing to open\n", 178 ses->chan_max); 179 return 0; 180 } 181 182 if (server->dialect < SMB30_PROT_ID) { 183 spin_unlock(&ses->chan_lock); 184 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 185 return 0; 186 } 187 188 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 189 ses->chan_max = 1; 190 spin_unlock(&ses->chan_lock); 191 cifs_server_dbg(VFS, "no multichannel support\n"); 192 return 0; 193 } 194 spin_unlock(&ses->chan_lock); 195 196 /* 197 * Keep connecting to same, fastest, iface for all channels as 198 * long as its RSS. Try next fastest one if not RSS or channel 199 * creation fails. 200 */ 201 spin_lock(&ses->iface_lock); 202 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 203 iface_head); 204 spin_unlock(&ses->iface_lock); 205 206 while (left > 0) { 207 208 tries++; 209 if (tries > 3*ses->chan_max) { 210 cifs_dbg(FYI, "too many channel open attempts (%d channels left to open)\n", 211 left); 212 break; 213 } 214 215 spin_lock(&ses->iface_lock); 216 if (!ses->iface_count) { 217 spin_unlock(&ses->iface_lock); 218 break; 219 } 220 221 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 222 iface_head) { 223 /* skip ifaces that are unusable */ 224 if (!iface->is_active || 225 (is_ses_using_iface(ses, iface) && 226 !iface->rss_capable)) { 227 continue; 228 } 229 230 /* take ref before unlock */ 231 kref_get(&iface->refcount); 232 233 spin_unlock(&ses->iface_lock); 234 rc = cifs_ses_add_channel(cifs_sb, ses, iface); 235 spin_lock(&ses->iface_lock); 236 237 if (rc) { 238 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 239 &iface->sockaddr, 240 rc); 241 kref_put(&iface->refcount, release_iface); 242 continue; 243 } 244 245 cifs_dbg(FYI, "successfully opened new channel on iface:%pIS\n", 246 &iface->sockaddr); 247 break; 248 } 249 spin_unlock(&ses->iface_lock); 250 251 left--; 252 new_chan_count++; 253 } 254 255 return new_chan_count - old_chan_count; 256 } 257 258 /* 259 * update the iface for the channel if necessary. 260 * will return 0 when iface is updated, 1 if removed, 2 otherwise 261 * Must be called with chan_lock held. 262 */ 263 int 264 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 265 { 266 unsigned int chan_index; 267 struct cifs_server_iface *iface = NULL; 268 struct cifs_server_iface *old_iface = NULL; 269 int rc = 0; 270 271 spin_lock(&ses->chan_lock); 272 chan_index = cifs_ses_get_chan_index(ses, server); 273 if (!chan_index) { 274 spin_unlock(&ses->chan_lock); 275 return 0; 276 } 277 278 if (ses->chans[chan_index].iface) { 279 old_iface = ses->chans[chan_index].iface; 280 if (old_iface->is_active) { 281 spin_unlock(&ses->chan_lock); 282 return 1; 283 } 284 } 285 spin_unlock(&ses->chan_lock); 286 287 spin_lock(&ses->iface_lock); 288 /* then look for a new one */ 289 list_for_each_entry(iface, &ses->iface_list, iface_head) { 290 if (!iface->is_active || 291 (is_ses_using_iface(ses, iface) && 292 !iface->rss_capable)) { 293 continue; 294 } 295 kref_get(&iface->refcount); 296 break; 297 } 298 299 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 300 rc = 1; 301 iface = NULL; 302 cifs_dbg(FYI, "unable to find a suitable iface\n"); 303 } 304 305 /* now drop the ref to the current iface */ 306 if (old_iface && iface) { 307 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 308 &old_iface->sockaddr, 309 &iface->sockaddr); 310 kref_put(&old_iface->refcount, release_iface); 311 } else if (old_iface) { 312 cifs_dbg(FYI, "releasing ref to iface: %pIS\n", 313 &old_iface->sockaddr); 314 kref_put(&old_iface->refcount, release_iface); 315 } else { 316 WARN_ON(!iface); 317 cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr); 318 } 319 spin_unlock(&ses->iface_lock); 320 321 spin_lock(&ses->chan_lock); 322 chan_index = cifs_ses_get_chan_index(ses, server); 323 ses->chans[chan_index].iface = iface; 324 325 /* No iface is found. if secondary chan, drop connection */ 326 if (!iface && CIFS_SERVER_IS_CHAN(server)) 327 ses->chans[chan_index].server = NULL; 328 329 spin_unlock(&ses->chan_lock); 330 331 if (!iface && CIFS_SERVER_IS_CHAN(server)) 332 cifs_put_tcp_session(server, false); 333 334 return rc; 335 } 336 337 /* 338 * If server is a channel of ses, return the corresponding enclosing 339 * cifs_chan otherwise return NULL. 340 */ 341 struct cifs_chan * 342 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 343 { 344 int i; 345 346 spin_lock(&ses->chan_lock); 347 for (i = 0; i < ses->chan_count; i++) { 348 if (ses->chans[i].server == server) { 349 spin_unlock(&ses->chan_lock); 350 return &ses->chans[i]; 351 } 352 } 353 spin_unlock(&ses->chan_lock); 354 return NULL; 355 } 356 357 static int 358 cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses, 359 struct cifs_server_iface *iface) 360 { 361 struct TCP_Server_Info *chan_server; 362 struct cifs_chan *chan; 363 struct smb3_fs_context ctx = {NULL}; 364 static const char unc_fmt[] = "\\%s\\foo"; 365 char unc[sizeof(unc_fmt)+SERVER_NAME_LEN_WITH_NULL] = {0}; 366 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 367 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 368 int rc; 369 unsigned int xid = get_xid(); 370 371 if (iface->sockaddr.ss_family == AF_INET) 372 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 373 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 374 &ipv4->sin_addr); 375 else 376 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 377 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 378 &ipv6->sin6_addr); 379 380 /* 381 * Setup a ctx with mostly the same info as the existing 382 * session and overwrite it with the requested iface data. 383 * 384 * We need to setup at least the fields used for negprot and 385 * sesssetup. 386 * 387 * We only need the ctx here, so we can reuse memory from 388 * the session and server without caring about memory 389 * management. 390 */ 391 392 /* Always make new connection for now (TODO?) */ 393 ctx.nosharesock = true; 394 395 /* Auth */ 396 ctx.domainauto = ses->domainAuto; 397 ctx.domainname = ses->domainName; 398 399 /* no hostname for extra channels */ 400 ctx.server_hostname = ""; 401 402 ctx.username = ses->user_name; 403 ctx.password = ses->password; 404 ctx.sectype = ses->sectype; 405 ctx.sign = ses->sign; 406 407 /* UNC and paths */ 408 /* XXX: Use ses->server->hostname? */ 409 sprintf(unc, unc_fmt, ses->ip_addr); 410 ctx.UNC = unc; 411 ctx.prepath = ""; 412 413 /* Reuse same version as master connection */ 414 ctx.vals = ses->server->vals; 415 ctx.ops = ses->server->ops; 416 417 ctx.noblocksnd = ses->server->noblocksnd; 418 ctx.noautotune = ses->server->noautotune; 419 ctx.sockopt_tcp_nodelay = ses->server->tcp_nodelay; 420 ctx.echo_interval = ses->server->echo_interval / HZ; 421 ctx.max_credits = ses->server->max_credits; 422 423 /* 424 * This will be used for encoding/decoding user/domain/pw 425 * during sess setup auth. 426 */ 427 ctx.local_nls = cifs_sb->local_nls; 428 429 /* Use RDMA if possible */ 430 ctx.rdma = iface->rdma_capable; 431 memcpy(&ctx.dstaddr, &iface->sockaddr, sizeof(struct sockaddr_storage)); 432 433 /* reuse master con client guid */ 434 memcpy(&ctx.client_guid, ses->server->client_guid, 435 SMB2_CLIENT_GUID_SIZE); 436 ctx.use_client_guid = true; 437 438 chan_server = cifs_get_tcp_session(&ctx, ses->server); 439 440 spin_lock(&ses->chan_lock); 441 chan = &ses->chans[ses->chan_count]; 442 chan->server = chan_server; 443 if (IS_ERR(chan->server)) { 444 rc = PTR_ERR(chan->server); 445 chan->server = NULL; 446 spin_unlock(&ses->chan_lock); 447 goto out; 448 } 449 chan->iface = iface; 450 ses->chan_count++; 451 atomic_set(&ses->chan_seq, 0); 452 453 /* Mark this channel as needing connect/setup */ 454 cifs_chan_set_need_reconnect(ses, chan->server); 455 456 spin_unlock(&ses->chan_lock); 457 458 mutex_lock(&ses->session_mutex); 459 /* 460 * We need to allocate the server crypto now as we will need 461 * to sign packets before we generate the channel signing key 462 * (we sign with the session key) 463 */ 464 rc = smb311_crypto_shash_allocate(chan->server); 465 if (rc) { 466 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 467 mutex_unlock(&ses->session_mutex); 468 goto out; 469 } 470 471 rc = cifs_negotiate_protocol(xid, ses, chan->server); 472 if (!rc) 473 rc = cifs_setup_session(xid, ses, chan->server, cifs_sb->local_nls); 474 475 mutex_unlock(&ses->session_mutex); 476 477 out: 478 if (rc && chan->server) { 479 /* 480 * we should avoid race with these delayed works before we 481 * remove this channel 482 */ 483 cancel_delayed_work_sync(&chan->server->echo); 484 cancel_delayed_work_sync(&chan->server->reconnect); 485 486 spin_lock(&ses->chan_lock); 487 /* we rely on all bits beyond chan_count to be clear */ 488 cifs_chan_clear_need_reconnect(ses, chan->server); 489 ses->chan_count--; 490 /* 491 * chan_count should never reach 0 as at least the primary 492 * channel is always allocated 493 */ 494 WARN_ON(ses->chan_count < 1); 495 spin_unlock(&ses->chan_lock); 496 497 cifs_put_tcp_session(chan->server, 0); 498 } 499 500 free_xid(xid); 501 return rc; 502 } 503 504 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 505 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 506 struct TCP_Server_Info *server, 507 SESSION_SETUP_ANDX *pSMB) 508 { 509 __u32 capabilities = 0; 510 511 /* init fields common to all four types of SessSetup */ 512 /* Note that offsets for first seven fields in req struct are same */ 513 /* in CIFS Specs so does not matter which of 3 forms of struct */ 514 /* that we use in next few lines */ 515 /* Note that header is initialized to zero in header_assemble */ 516 pSMB->req.AndXCommand = 0xFF; 517 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 518 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 519 USHRT_MAX)); 520 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 521 pSMB->req.VcNumber = cpu_to_le16(1); 522 523 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 524 525 /* BB verify whether signing required on neg or just on auth frame 526 (and NTLM case) */ 527 528 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 529 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 530 531 if (server->sign) 532 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 533 534 if (ses->capabilities & CAP_UNICODE) { 535 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 536 capabilities |= CAP_UNICODE; 537 } 538 if (ses->capabilities & CAP_STATUS32) { 539 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 540 capabilities |= CAP_STATUS32; 541 } 542 if (ses->capabilities & CAP_DFS) { 543 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 544 capabilities |= CAP_DFS; 545 } 546 if (ses->capabilities & CAP_UNIX) 547 capabilities |= CAP_UNIX; 548 549 return capabilities; 550 } 551 552 static void 553 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 554 { 555 char *bcc_ptr = *pbcc_area; 556 int bytes_ret = 0; 557 558 /* Copy OS version */ 559 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 560 nls_cp); 561 bcc_ptr += 2 * bytes_ret; 562 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 563 32, nls_cp); 564 bcc_ptr += 2 * bytes_ret; 565 bcc_ptr += 2; /* trailing null */ 566 567 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 568 32, nls_cp); 569 bcc_ptr += 2 * bytes_ret; 570 bcc_ptr += 2; /* trailing null */ 571 572 *pbcc_area = bcc_ptr; 573 } 574 575 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 576 const struct nls_table *nls_cp) 577 { 578 char *bcc_ptr = *pbcc_area; 579 int bytes_ret = 0; 580 581 /* copy domain */ 582 if (ses->domainName == NULL) { 583 /* Sending null domain better than using a bogus domain name (as 584 we did briefly in 2.6.18) since server will use its default */ 585 *bcc_ptr = 0; 586 *(bcc_ptr+1) = 0; 587 bytes_ret = 0; 588 } else 589 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 590 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 591 bcc_ptr += 2 * bytes_ret; 592 bcc_ptr += 2; /* account for null terminator */ 593 594 *pbcc_area = bcc_ptr; 595 } 596 597 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 598 const struct nls_table *nls_cp) 599 { 600 char *bcc_ptr = *pbcc_area; 601 int bytes_ret = 0; 602 603 /* BB FIXME add check that strings total less 604 than 335 or will need to send them as arrays */ 605 606 /* copy user */ 607 if (ses->user_name == NULL) { 608 /* null user mount */ 609 *bcc_ptr = 0; 610 *(bcc_ptr+1) = 0; 611 } else { 612 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 613 CIFS_MAX_USERNAME_LEN, nls_cp); 614 } 615 bcc_ptr += 2 * bytes_ret; 616 bcc_ptr += 2; /* account for null termination */ 617 618 unicode_domain_string(&bcc_ptr, ses, nls_cp); 619 unicode_oslm_strings(&bcc_ptr, nls_cp); 620 621 *pbcc_area = bcc_ptr; 622 } 623 624 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 625 const struct nls_table *nls_cp) 626 { 627 char *bcc_ptr = *pbcc_area; 628 int len; 629 630 /* copy user */ 631 /* BB what about null user mounts - check that we do this BB */ 632 /* copy user */ 633 if (ses->user_name != NULL) { 634 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 635 if (WARN_ON_ONCE(len < 0)) 636 len = CIFS_MAX_USERNAME_LEN - 1; 637 bcc_ptr += len; 638 } 639 /* else null user mount */ 640 *bcc_ptr = 0; 641 bcc_ptr++; /* account for null termination */ 642 643 /* copy domain */ 644 if (ses->domainName != NULL) { 645 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 646 if (WARN_ON_ONCE(len < 0)) 647 len = CIFS_MAX_DOMAINNAME_LEN - 1; 648 bcc_ptr += len; 649 } /* else we will send a null domain name 650 so the server will default to its own domain */ 651 *bcc_ptr = 0; 652 bcc_ptr++; 653 654 /* BB check for overflow here */ 655 656 strcpy(bcc_ptr, "Linux version "); 657 bcc_ptr += strlen("Linux version "); 658 strcpy(bcc_ptr, init_utsname()->release); 659 bcc_ptr += strlen(init_utsname()->release) + 1; 660 661 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 662 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 663 664 *pbcc_area = bcc_ptr; 665 } 666 667 static void 668 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 669 const struct nls_table *nls_cp) 670 { 671 int len; 672 char *data = *pbcc_area; 673 674 cifs_dbg(FYI, "bleft %d\n", bleft); 675 676 kfree(ses->serverOS); 677 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 678 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 679 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 680 data += len; 681 bleft -= len; 682 if (bleft <= 0) 683 return; 684 685 kfree(ses->serverNOS); 686 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 687 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 688 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 689 data += len; 690 bleft -= len; 691 if (bleft <= 0) 692 return; 693 694 kfree(ses->serverDomain); 695 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 696 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 697 698 return; 699 } 700 701 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 702 struct cifs_ses *ses, 703 const struct nls_table *nls_cp) 704 { 705 int len; 706 char *bcc_ptr = *pbcc_area; 707 708 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 709 710 len = strnlen(bcc_ptr, bleft); 711 if (len >= bleft) 712 return; 713 714 kfree(ses->serverOS); 715 716 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 717 if (ses->serverOS) { 718 memcpy(ses->serverOS, bcc_ptr, len); 719 ses->serverOS[len] = 0; 720 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 721 cifs_dbg(FYI, "OS/2 server\n"); 722 } 723 724 bcc_ptr += len + 1; 725 bleft -= len + 1; 726 727 len = strnlen(bcc_ptr, bleft); 728 if (len >= bleft) 729 return; 730 731 kfree(ses->serverNOS); 732 733 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 734 if (ses->serverNOS) { 735 memcpy(ses->serverNOS, bcc_ptr, len); 736 ses->serverNOS[len] = 0; 737 } 738 739 bcc_ptr += len + 1; 740 bleft -= len + 1; 741 742 len = strnlen(bcc_ptr, bleft); 743 if (len > bleft) 744 return; 745 746 /* No domain field in LANMAN case. Domain is 747 returned by old servers in the SMB negprot response */ 748 /* BB For newer servers which do not support Unicode, 749 but thus do return domain here we could add parsing 750 for it later, but it is not very important */ 751 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 752 } 753 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 754 755 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 756 struct cifs_ses *ses) 757 { 758 unsigned int tioffset; /* challenge message target info area */ 759 unsigned int tilen; /* challenge message target info area length */ 760 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 761 __u32 server_flags; 762 763 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 764 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 765 return -EINVAL; 766 } 767 768 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 769 cifs_dbg(VFS, "blob signature incorrect %s\n", 770 pblob->Signature); 771 return -EINVAL; 772 } 773 if (pblob->MessageType != NtLmChallenge) { 774 cifs_dbg(VFS, "Incorrect message type %d\n", 775 pblob->MessageType); 776 return -EINVAL; 777 } 778 779 server_flags = le32_to_cpu(pblob->NegotiateFlags); 780 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 781 ses->ntlmssp->client_flags, server_flags); 782 783 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 784 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 785 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 786 __func__); 787 return -EINVAL; 788 } 789 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 790 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 791 return -EINVAL; 792 } 793 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 794 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 795 __func__); 796 return -EOPNOTSUPP; 797 } 798 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 799 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 800 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 801 __func__); 802 803 ses->ntlmssp->server_flags = server_flags; 804 805 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 806 /* In particular we can examine sign flags */ 807 /* BB spec says that if AvId field of MsvAvTimestamp is populated then 808 we must set the MIC field of the AUTHENTICATE_MESSAGE */ 809 810 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 811 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 812 if (tioffset > blob_len || tioffset + tilen > blob_len) { 813 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 814 tioffset, tilen); 815 return -EINVAL; 816 } 817 if (tilen) { 818 kfree_sensitive(ses->auth_key.response); 819 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 820 GFP_KERNEL); 821 if (!ses->auth_key.response) { 822 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 823 return -ENOMEM; 824 } 825 ses->auth_key.len = tilen; 826 } 827 828 return 0; 829 } 830 831 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 832 { 833 int sz = base_size + ses->auth_key.len 834 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 835 836 if (ses->domainName) 837 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 838 else 839 sz += sizeof(__le16); 840 841 if (ses->user_name) 842 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 843 else 844 sz += sizeof(__le16); 845 846 if (ses->workstation_name[0]) 847 sz += sizeof(__le16) * strnlen(ses->workstation_name, 848 ntlmssp_workstation_name_size(ses)); 849 else 850 sz += sizeof(__le16); 851 852 return sz; 853 } 854 855 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 856 char *str_value, 857 int str_length, 858 unsigned char *pstart, 859 unsigned char **pcur, 860 const struct nls_table *nls_cp) 861 { 862 unsigned char *tmp = pstart; 863 int len; 864 865 if (!pbuf) 866 return; 867 868 if (!pcur) 869 pcur = &tmp; 870 871 if (!str_value) { 872 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 873 pbuf->Length = 0; 874 pbuf->MaximumLength = 0; 875 *pcur += sizeof(__le16); 876 } else { 877 len = cifs_strtoUTF16((__le16 *)*pcur, 878 str_value, 879 str_length, 880 nls_cp); 881 len *= sizeof(__le16); 882 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 883 pbuf->Length = cpu_to_le16(len); 884 pbuf->MaximumLength = cpu_to_le16(len); 885 *pcur += len; 886 } 887 } 888 889 /* BB Move to ntlmssp.c eventually */ 890 891 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 892 u16 *buflen, 893 struct cifs_ses *ses, 894 struct TCP_Server_Info *server, 895 const struct nls_table *nls_cp) 896 { 897 int rc = 0; 898 NEGOTIATE_MESSAGE *sec_blob; 899 __u32 flags; 900 unsigned char *tmp; 901 int len; 902 903 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 904 *pbuffer = kmalloc(len, GFP_KERNEL); 905 if (!*pbuffer) { 906 rc = -ENOMEM; 907 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 908 *buflen = 0; 909 goto setup_ntlm_neg_ret; 910 } 911 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 912 913 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 914 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 915 sec_blob->MessageType = NtLmNegotiate; 916 917 /* BB is NTLMV2 session security format easier to use here? */ 918 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 919 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 920 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 921 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 922 NTLMSSP_NEGOTIATE_SIGN; 923 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 924 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 925 926 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 927 ses->ntlmssp->client_flags = flags; 928 sec_blob->NegotiateFlags = cpu_to_le32(flags); 929 930 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 931 cifs_security_buffer_from_str(&sec_blob->DomainName, 932 NULL, 933 CIFS_MAX_DOMAINNAME_LEN, 934 *pbuffer, &tmp, 935 nls_cp); 936 937 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 938 NULL, 939 CIFS_MAX_WORKSTATION_LEN, 940 *pbuffer, &tmp, 941 nls_cp); 942 943 *buflen = tmp - *pbuffer; 944 setup_ntlm_neg_ret: 945 return rc; 946 } 947 948 /* 949 * Build ntlmssp blob with additional fields, such as version, 950 * supported by modern servers. For safety limit to SMB3 or later 951 * See notes in MS-NLMP Section 2.2.2.1 e.g. 952 */ 953 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 954 u16 *buflen, 955 struct cifs_ses *ses, 956 struct TCP_Server_Info *server, 957 const struct nls_table *nls_cp) 958 { 959 int rc = 0; 960 struct negotiate_message *sec_blob; 961 __u32 flags; 962 unsigned char *tmp; 963 int len; 964 965 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 966 *pbuffer = kmalloc(len, GFP_KERNEL); 967 if (!*pbuffer) { 968 rc = -ENOMEM; 969 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 970 *buflen = 0; 971 goto setup_ntlm_smb3_neg_ret; 972 } 973 sec_blob = (struct negotiate_message *)*pbuffer; 974 975 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 976 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 977 sec_blob->MessageType = NtLmNegotiate; 978 979 /* BB is NTLMV2 session security format easier to use here? */ 980 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 981 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 982 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 983 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 984 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 985 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 986 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 987 988 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 989 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 990 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 991 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 992 993 tmp = *pbuffer + sizeof(struct negotiate_message); 994 ses->ntlmssp->client_flags = flags; 995 sec_blob->NegotiateFlags = cpu_to_le32(flags); 996 997 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 998 cifs_security_buffer_from_str(&sec_blob->DomainName, 999 NULL, 1000 CIFS_MAX_DOMAINNAME_LEN, 1001 *pbuffer, &tmp, 1002 nls_cp); 1003 1004 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1005 NULL, 1006 CIFS_MAX_WORKSTATION_LEN, 1007 *pbuffer, &tmp, 1008 nls_cp); 1009 1010 *buflen = tmp - *pbuffer; 1011 setup_ntlm_smb3_neg_ret: 1012 return rc; 1013 } 1014 1015 1016 /* See MS-NLMP 2.2.1.3 */ 1017 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1018 u16 *buflen, 1019 struct cifs_ses *ses, 1020 struct TCP_Server_Info *server, 1021 const struct nls_table *nls_cp) 1022 { 1023 int rc; 1024 AUTHENTICATE_MESSAGE *sec_blob; 1025 __u32 flags; 1026 unsigned char *tmp; 1027 int len; 1028 1029 rc = setup_ntlmv2_rsp(ses, nls_cp); 1030 if (rc) { 1031 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1032 *buflen = 0; 1033 goto setup_ntlmv2_ret; 1034 } 1035 1036 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1037 *pbuffer = kmalloc(len, GFP_KERNEL); 1038 if (!*pbuffer) { 1039 rc = -ENOMEM; 1040 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1041 *buflen = 0; 1042 goto setup_ntlmv2_ret; 1043 } 1044 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1045 1046 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1047 sec_blob->MessageType = NtLmAuthenticate; 1048 1049 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1050 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1051 /* we only send version information in ntlmssp negotiate, so do not set this flag */ 1052 flags = flags & ~NTLMSSP_NEGOTIATE_VERSION; 1053 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1054 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1055 1056 sec_blob->LmChallengeResponse.BufferOffset = 1057 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1058 sec_blob->LmChallengeResponse.Length = 0; 1059 sec_blob->LmChallengeResponse.MaximumLength = 0; 1060 1061 sec_blob->NtChallengeResponse.BufferOffset = 1062 cpu_to_le32(tmp - *pbuffer); 1063 if (ses->user_name != NULL) { 1064 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1065 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1066 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1067 1068 sec_blob->NtChallengeResponse.Length = 1069 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1070 sec_blob->NtChallengeResponse.MaximumLength = 1071 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1072 } else { 1073 /* 1074 * don't send an NT Response for anonymous access 1075 */ 1076 sec_blob->NtChallengeResponse.Length = 0; 1077 sec_blob->NtChallengeResponse.MaximumLength = 0; 1078 } 1079 1080 cifs_security_buffer_from_str(&sec_blob->DomainName, 1081 ses->domainName, 1082 CIFS_MAX_DOMAINNAME_LEN, 1083 *pbuffer, &tmp, 1084 nls_cp); 1085 1086 cifs_security_buffer_from_str(&sec_blob->UserName, 1087 ses->user_name, 1088 CIFS_MAX_USERNAME_LEN, 1089 *pbuffer, &tmp, 1090 nls_cp); 1091 1092 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1093 ses->workstation_name, 1094 ntlmssp_workstation_name_size(ses), 1095 *pbuffer, &tmp, 1096 nls_cp); 1097 1098 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1099 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1100 !calc_seckey(ses)) { 1101 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1102 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1103 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1104 sec_blob->SessionKey.MaximumLength = 1105 cpu_to_le16(CIFS_CPHTXT_SIZE); 1106 tmp += CIFS_CPHTXT_SIZE; 1107 } else { 1108 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1109 sec_blob->SessionKey.Length = 0; 1110 sec_blob->SessionKey.MaximumLength = 0; 1111 } 1112 1113 *buflen = tmp - *pbuffer; 1114 setup_ntlmv2_ret: 1115 return rc; 1116 } 1117 1118 enum securityEnum 1119 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1120 { 1121 switch (server->negflavor) { 1122 case CIFS_NEGFLAVOR_EXTENDED: 1123 switch (requested) { 1124 case Kerberos: 1125 case RawNTLMSSP: 1126 return requested; 1127 case Unspecified: 1128 if (server->sec_ntlmssp && 1129 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1130 return RawNTLMSSP; 1131 if ((server->sec_kerberos || server->sec_mskerberos) && 1132 (global_secflags & CIFSSEC_MAY_KRB5)) 1133 return Kerberos; 1134 fallthrough; 1135 default: 1136 return Unspecified; 1137 } 1138 case CIFS_NEGFLAVOR_UNENCAP: 1139 switch (requested) { 1140 case NTLMv2: 1141 return requested; 1142 case Unspecified: 1143 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1144 return NTLMv2; 1145 break; 1146 default: 1147 break; 1148 } 1149 fallthrough; 1150 default: 1151 return Unspecified; 1152 } 1153 } 1154 1155 struct sess_data { 1156 unsigned int xid; 1157 struct cifs_ses *ses; 1158 struct TCP_Server_Info *server; 1159 struct nls_table *nls_cp; 1160 void (*func)(struct sess_data *); 1161 int result; 1162 1163 /* we will send the SMB in three pieces: 1164 * a fixed length beginning part, an optional 1165 * SPNEGO blob (which can be zero length), and a 1166 * last part which will include the strings 1167 * and rest of bcc area. This allows us to avoid 1168 * a large buffer 17K allocation 1169 */ 1170 int buf0_type; 1171 struct kvec iov[3]; 1172 }; 1173 1174 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1175 static int 1176 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1177 { 1178 int rc; 1179 struct cifs_ses *ses = sess_data->ses; 1180 struct smb_hdr *smb_buf; 1181 1182 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1183 (void **)&smb_buf); 1184 1185 if (rc) 1186 return rc; 1187 1188 sess_data->iov[0].iov_base = (char *)smb_buf; 1189 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1190 /* 1191 * This variable will be used to clear the buffer 1192 * allocated above in case of any error in the calling function. 1193 */ 1194 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1195 1196 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1197 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1198 if (!sess_data->iov[2].iov_base) { 1199 rc = -ENOMEM; 1200 goto out_free_smb_buf; 1201 } 1202 1203 return 0; 1204 1205 out_free_smb_buf: 1206 cifs_small_buf_release(smb_buf); 1207 sess_data->iov[0].iov_base = NULL; 1208 sess_data->iov[0].iov_len = 0; 1209 sess_data->buf0_type = CIFS_NO_BUFFER; 1210 return rc; 1211 } 1212 1213 static void 1214 sess_free_buffer(struct sess_data *sess_data) 1215 { 1216 struct kvec *iov = sess_data->iov; 1217 1218 /* 1219 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1220 * Note that iov[1] is already freed by caller. 1221 */ 1222 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1223 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1224 1225 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1226 sess_data->buf0_type = CIFS_NO_BUFFER; 1227 kfree_sensitive(iov[2].iov_base); 1228 } 1229 1230 static int 1231 sess_establish_session(struct sess_data *sess_data) 1232 { 1233 struct cifs_ses *ses = sess_data->ses; 1234 struct TCP_Server_Info *server = sess_data->server; 1235 1236 cifs_server_lock(server); 1237 if (!server->session_estab) { 1238 if (server->sign) { 1239 server->session_key.response = 1240 kmemdup(ses->auth_key.response, 1241 ses->auth_key.len, GFP_KERNEL); 1242 if (!server->session_key.response) { 1243 cifs_server_unlock(server); 1244 return -ENOMEM; 1245 } 1246 server->session_key.len = 1247 ses->auth_key.len; 1248 } 1249 server->sequence_number = 0x2; 1250 server->session_estab = true; 1251 } 1252 cifs_server_unlock(server); 1253 1254 cifs_dbg(FYI, "CIFS session established successfully\n"); 1255 return 0; 1256 } 1257 1258 static int 1259 sess_sendreceive(struct sess_data *sess_data) 1260 { 1261 int rc; 1262 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1263 __u16 count; 1264 struct kvec rsp_iov = { NULL, 0 }; 1265 1266 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1267 be32_add_cpu(&smb_buf->smb_buf_length, count); 1268 put_bcc(count, smb_buf); 1269 1270 rc = SendReceive2(sess_data->xid, sess_data->ses, 1271 sess_data->iov, 3 /* num_iovecs */, 1272 &sess_data->buf0_type, 1273 CIFS_LOG_ERROR, &rsp_iov); 1274 cifs_small_buf_release(sess_data->iov[0].iov_base); 1275 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1276 1277 return rc; 1278 } 1279 1280 static void 1281 sess_auth_ntlmv2(struct sess_data *sess_data) 1282 { 1283 int rc = 0; 1284 struct smb_hdr *smb_buf; 1285 SESSION_SETUP_ANDX *pSMB; 1286 char *bcc_ptr; 1287 struct cifs_ses *ses = sess_data->ses; 1288 struct TCP_Server_Info *server = sess_data->server; 1289 __u32 capabilities; 1290 __u16 bytes_remaining; 1291 1292 /* old style NTLM sessionsetup */ 1293 /* wct = 13 */ 1294 rc = sess_alloc_buffer(sess_data, 13); 1295 if (rc) 1296 goto out; 1297 1298 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1299 bcc_ptr = sess_data->iov[2].iov_base; 1300 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1301 1302 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1303 1304 /* LM2 password would be here if we supported it */ 1305 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1306 1307 if (ses->user_name != NULL) { 1308 /* calculate nlmv2 response and session key */ 1309 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1310 if (rc) { 1311 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1312 goto out; 1313 } 1314 1315 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1316 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1317 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1318 1319 /* set case sensitive password length after tilen may get 1320 * assigned, tilen is 0 otherwise. 1321 */ 1322 pSMB->req_no_secext.CaseSensitivePasswordLength = 1323 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1324 } else { 1325 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1326 } 1327 1328 if (ses->capabilities & CAP_UNICODE) { 1329 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1330 *bcc_ptr = 0; 1331 bcc_ptr++; 1332 } 1333 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1334 } else { 1335 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1336 } 1337 1338 1339 sess_data->iov[2].iov_len = (long) bcc_ptr - 1340 (long) sess_data->iov[2].iov_base; 1341 1342 rc = sess_sendreceive(sess_data); 1343 if (rc) 1344 goto out; 1345 1346 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1347 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1348 1349 if (smb_buf->WordCount != 3) { 1350 rc = -EIO; 1351 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1352 goto out; 1353 } 1354 1355 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1356 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1357 1358 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1359 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1360 1361 bytes_remaining = get_bcc(smb_buf); 1362 bcc_ptr = pByteArea(smb_buf); 1363 1364 /* BB check if Unicode and decode strings */ 1365 if (bytes_remaining == 0) { 1366 /* no string area to decode, do nothing */ 1367 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1368 /* unicode string area must be word-aligned */ 1369 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1370 ++bcc_ptr; 1371 --bytes_remaining; 1372 } 1373 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1374 sess_data->nls_cp); 1375 } else { 1376 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1377 sess_data->nls_cp); 1378 } 1379 1380 rc = sess_establish_session(sess_data); 1381 out: 1382 sess_data->result = rc; 1383 sess_data->func = NULL; 1384 sess_free_buffer(sess_data); 1385 kfree_sensitive(ses->auth_key.response); 1386 ses->auth_key.response = NULL; 1387 } 1388 1389 #ifdef CONFIG_CIFS_UPCALL 1390 static void 1391 sess_auth_kerberos(struct sess_data *sess_data) 1392 { 1393 int rc = 0; 1394 struct smb_hdr *smb_buf; 1395 SESSION_SETUP_ANDX *pSMB; 1396 char *bcc_ptr; 1397 struct cifs_ses *ses = sess_data->ses; 1398 struct TCP_Server_Info *server = sess_data->server; 1399 __u32 capabilities; 1400 __u16 bytes_remaining; 1401 struct key *spnego_key = NULL; 1402 struct cifs_spnego_msg *msg; 1403 u16 blob_len; 1404 1405 /* extended security */ 1406 /* wct = 12 */ 1407 rc = sess_alloc_buffer(sess_data, 12); 1408 if (rc) 1409 goto out; 1410 1411 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1412 bcc_ptr = sess_data->iov[2].iov_base; 1413 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1414 1415 spnego_key = cifs_get_spnego_key(ses, server); 1416 if (IS_ERR(spnego_key)) { 1417 rc = PTR_ERR(spnego_key); 1418 spnego_key = NULL; 1419 goto out; 1420 } 1421 1422 msg = spnego_key->payload.data[0]; 1423 /* 1424 * check version field to make sure that cifs.upcall is 1425 * sending us a response in an expected form 1426 */ 1427 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1428 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1429 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1430 rc = -EKEYREJECTED; 1431 goto out_put_spnego_key; 1432 } 1433 1434 kfree_sensitive(ses->auth_key.response); 1435 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1436 GFP_KERNEL); 1437 if (!ses->auth_key.response) { 1438 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1439 msg->sesskey_len); 1440 rc = -ENOMEM; 1441 goto out_put_spnego_key; 1442 } 1443 ses->auth_key.len = msg->sesskey_len; 1444 1445 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1446 capabilities |= CAP_EXTENDED_SECURITY; 1447 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1448 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1449 sess_data->iov[1].iov_len = msg->secblob_len; 1450 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1451 1452 if (ses->capabilities & CAP_UNICODE) { 1453 /* unicode strings must be word aligned */ 1454 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1455 *bcc_ptr = 0; 1456 bcc_ptr++; 1457 } 1458 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1459 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1460 } else { 1461 /* BB: is this right? */ 1462 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1463 } 1464 1465 sess_data->iov[2].iov_len = (long) bcc_ptr - 1466 (long) sess_data->iov[2].iov_base; 1467 1468 rc = sess_sendreceive(sess_data); 1469 if (rc) 1470 goto out_put_spnego_key; 1471 1472 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1473 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1474 1475 if (smb_buf->WordCount != 4) { 1476 rc = -EIO; 1477 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1478 goto out_put_spnego_key; 1479 } 1480 1481 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1482 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1483 1484 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1485 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1486 1487 bytes_remaining = get_bcc(smb_buf); 1488 bcc_ptr = pByteArea(smb_buf); 1489 1490 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1491 if (blob_len > bytes_remaining) { 1492 cifs_dbg(VFS, "bad security blob length %d\n", 1493 blob_len); 1494 rc = -EINVAL; 1495 goto out_put_spnego_key; 1496 } 1497 bcc_ptr += blob_len; 1498 bytes_remaining -= blob_len; 1499 1500 /* BB check if Unicode and decode strings */ 1501 if (bytes_remaining == 0) { 1502 /* no string area to decode, do nothing */ 1503 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1504 /* unicode string area must be word-aligned */ 1505 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1506 ++bcc_ptr; 1507 --bytes_remaining; 1508 } 1509 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1510 sess_data->nls_cp); 1511 } else { 1512 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1513 sess_data->nls_cp); 1514 } 1515 1516 rc = sess_establish_session(sess_data); 1517 out_put_spnego_key: 1518 key_invalidate(spnego_key); 1519 key_put(spnego_key); 1520 out: 1521 sess_data->result = rc; 1522 sess_data->func = NULL; 1523 sess_free_buffer(sess_data); 1524 kfree_sensitive(ses->auth_key.response); 1525 ses->auth_key.response = NULL; 1526 } 1527 1528 #endif /* ! CONFIG_CIFS_UPCALL */ 1529 1530 /* 1531 * The required kvec buffers have to be allocated before calling this 1532 * function. 1533 */ 1534 static int 1535 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1536 { 1537 SESSION_SETUP_ANDX *pSMB; 1538 struct cifs_ses *ses = sess_data->ses; 1539 struct TCP_Server_Info *server = sess_data->server; 1540 __u32 capabilities; 1541 char *bcc_ptr; 1542 1543 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1544 1545 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1546 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1547 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1548 return -ENOSYS; 1549 } 1550 1551 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1552 capabilities |= CAP_EXTENDED_SECURITY; 1553 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1554 1555 bcc_ptr = sess_data->iov[2].iov_base; 1556 /* unicode strings must be word aligned */ 1557 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1558 *bcc_ptr = 0; 1559 bcc_ptr++; 1560 } 1561 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1562 1563 sess_data->iov[2].iov_len = (long) bcc_ptr - 1564 (long) sess_data->iov[2].iov_base; 1565 1566 return 0; 1567 } 1568 1569 static void 1570 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1571 1572 static void 1573 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1574 { 1575 int rc; 1576 struct smb_hdr *smb_buf; 1577 SESSION_SETUP_ANDX *pSMB; 1578 struct cifs_ses *ses = sess_data->ses; 1579 struct TCP_Server_Info *server = sess_data->server; 1580 __u16 bytes_remaining; 1581 char *bcc_ptr; 1582 unsigned char *ntlmsspblob = NULL; 1583 u16 blob_len; 1584 1585 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1586 1587 /* 1588 * if memory allocation is successful, caller of this function 1589 * frees it. 1590 */ 1591 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1592 if (!ses->ntlmssp) { 1593 rc = -ENOMEM; 1594 goto out; 1595 } 1596 ses->ntlmssp->sesskey_per_smbsess = false; 1597 1598 /* wct = 12 */ 1599 rc = sess_alloc_buffer(sess_data, 12); 1600 if (rc) 1601 goto out; 1602 1603 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1604 1605 /* Build security blob before we assemble the request */ 1606 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1607 &blob_len, ses, server, 1608 sess_data->nls_cp); 1609 if (rc) 1610 goto out_free_ntlmsspblob; 1611 1612 sess_data->iov[1].iov_len = blob_len; 1613 sess_data->iov[1].iov_base = ntlmsspblob; 1614 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1615 1616 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1617 if (rc) 1618 goto out_free_ntlmsspblob; 1619 1620 rc = sess_sendreceive(sess_data); 1621 1622 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1623 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1624 1625 /* If true, rc here is expected and not an error */ 1626 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1627 smb_buf->Status.CifsError == 1628 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1629 rc = 0; 1630 1631 if (rc) 1632 goto out_free_ntlmsspblob; 1633 1634 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1635 1636 if (smb_buf->WordCount != 4) { 1637 rc = -EIO; 1638 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1639 goto out_free_ntlmsspblob; 1640 } 1641 1642 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1643 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1644 1645 bytes_remaining = get_bcc(smb_buf); 1646 bcc_ptr = pByteArea(smb_buf); 1647 1648 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1649 if (blob_len > bytes_remaining) { 1650 cifs_dbg(VFS, "bad security blob length %d\n", 1651 blob_len); 1652 rc = -EINVAL; 1653 goto out_free_ntlmsspblob; 1654 } 1655 1656 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1657 1658 out_free_ntlmsspblob: 1659 kfree_sensitive(ntlmsspblob); 1660 out: 1661 sess_free_buffer(sess_data); 1662 1663 if (!rc) { 1664 sess_data->func = sess_auth_rawntlmssp_authenticate; 1665 return; 1666 } 1667 1668 /* Else error. Cleanup */ 1669 kfree_sensitive(ses->auth_key.response); 1670 ses->auth_key.response = NULL; 1671 kfree_sensitive(ses->ntlmssp); 1672 ses->ntlmssp = NULL; 1673 1674 sess_data->func = NULL; 1675 sess_data->result = rc; 1676 } 1677 1678 static void 1679 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1680 { 1681 int rc; 1682 struct smb_hdr *smb_buf; 1683 SESSION_SETUP_ANDX *pSMB; 1684 struct cifs_ses *ses = sess_data->ses; 1685 struct TCP_Server_Info *server = sess_data->server; 1686 __u16 bytes_remaining; 1687 char *bcc_ptr; 1688 unsigned char *ntlmsspblob = NULL; 1689 u16 blob_len; 1690 1691 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1692 1693 /* wct = 12 */ 1694 rc = sess_alloc_buffer(sess_data, 12); 1695 if (rc) 1696 goto out; 1697 1698 /* Build security blob before we assemble the request */ 1699 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1700 smb_buf = (struct smb_hdr *)pSMB; 1701 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1702 &blob_len, ses, server, 1703 sess_data->nls_cp); 1704 if (rc) 1705 goto out_free_ntlmsspblob; 1706 sess_data->iov[1].iov_len = blob_len; 1707 sess_data->iov[1].iov_base = ntlmsspblob; 1708 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1709 /* 1710 * Make sure that we tell the server that we are using 1711 * the uid that it just gave us back on the response 1712 * (challenge) 1713 */ 1714 smb_buf->Uid = ses->Suid; 1715 1716 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1717 if (rc) 1718 goto out_free_ntlmsspblob; 1719 1720 rc = sess_sendreceive(sess_data); 1721 if (rc) 1722 goto out_free_ntlmsspblob; 1723 1724 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1725 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1726 if (smb_buf->WordCount != 4) { 1727 rc = -EIO; 1728 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1729 goto out_free_ntlmsspblob; 1730 } 1731 1732 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1733 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1734 1735 if (ses->Suid != smb_buf->Uid) { 1736 ses->Suid = smb_buf->Uid; 1737 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1738 } 1739 1740 bytes_remaining = get_bcc(smb_buf); 1741 bcc_ptr = pByteArea(smb_buf); 1742 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1743 if (blob_len > bytes_remaining) { 1744 cifs_dbg(VFS, "bad security blob length %d\n", 1745 blob_len); 1746 rc = -EINVAL; 1747 goto out_free_ntlmsspblob; 1748 } 1749 bcc_ptr += blob_len; 1750 bytes_remaining -= blob_len; 1751 1752 1753 /* BB check if Unicode and decode strings */ 1754 if (bytes_remaining == 0) { 1755 /* no string area to decode, do nothing */ 1756 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1757 /* unicode string area must be word-aligned */ 1758 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1759 ++bcc_ptr; 1760 --bytes_remaining; 1761 } 1762 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1763 sess_data->nls_cp); 1764 } else { 1765 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1766 sess_data->nls_cp); 1767 } 1768 1769 out_free_ntlmsspblob: 1770 kfree_sensitive(ntlmsspblob); 1771 out: 1772 sess_free_buffer(sess_data); 1773 1774 if (!rc) 1775 rc = sess_establish_session(sess_data); 1776 1777 /* Cleanup */ 1778 kfree_sensitive(ses->auth_key.response); 1779 ses->auth_key.response = NULL; 1780 kfree_sensitive(ses->ntlmssp); 1781 ses->ntlmssp = NULL; 1782 1783 sess_data->func = NULL; 1784 sess_data->result = rc; 1785 } 1786 1787 static int select_sec(struct sess_data *sess_data) 1788 { 1789 int type; 1790 struct cifs_ses *ses = sess_data->ses; 1791 struct TCP_Server_Info *server = sess_data->server; 1792 1793 type = cifs_select_sectype(server, ses->sectype); 1794 cifs_dbg(FYI, "sess setup type %d\n", type); 1795 if (type == Unspecified) { 1796 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1797 return -EINVAL; 1798 } 1799 1800 switch (type) { 1801 case NTLMv2: 1802 sess_data->func = sess_auth_ntlmv2; 1803 break; 1804 case Kerberos: 1805 #ifdef CONFIG_CIFS_UPCALL 1806 sess_data->func = sess_auth_kerberos; 1807 break; 1808 #else 1809 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1810 return -ENOSYS; 1811 #endif /* CONFIG_CIFS_UPCALL */ 1812 case RawNTLMSSP: 1813 sess_data->func = sess_auth_rawntlmssp_negotiate; 1814 break; 1815 default: 1816 cifs_dbg(VFS, "secType %d not supported!\n", type); 1817 return -ENOSYS; 1818 } 1819 1820 return 0; 1821 } 1822 1823 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1824 struct TCP_Server_Info *server, 1825 const struct nls_table *nls_cp) 1826 { 1827 int rc = 0; 1828 struct sess_data *sess_data; 1829 1830 if (ses == NULL) { 1831 WARN(1, "%s: ses == NULL!", __func__); 1832 return -EINVAL; 1833 } 1834 1835 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 1836 if (!sess_data) 1837 return -ENOMEM; 1838 1839 sess_data->xid = xid; 1840 sess_data->ses = ses; 1841 sess_data->server = server; 1842 sess_data->buf0_type = CIFS_NO_BUFFER; 1843 sess_data->nls_cp = (struct nls_table *) nls_cp; 1844 1845 rc = select_sec(sess_data); 1846 if (rc) 1847 goto out; 1848 1849 while (sess_data->func) 1850 sess_data->func(sess_data); 1851 1852 /* Store result before we free sess_data */ 1853 rc = sess_data->result; 1854 1855 out: 1856 kfree_sensitive(sess_data); 1857 return rc; 1858 } 1859 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 1860