1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 *
4 * SMB/CIFS session setup handling routines
5 *
6 * Copyright (c) International Business Machines Corp., 2006, 2009
7 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 */
10
11 #include "cifspdu.h"
12 #include "cifsglob.h"
13 #include "cifsproto.h"
14 #include "cifs_unicode.h"
15 #include "cifs_debug.h"
16 #include "ntlmssp.h"
17 #include "nterr.h"
18 #include <linux/utsname.h>
19 #include <linux/slab.h>
20 #include <linux/version.h>
21 #include "cifsfs.h"
22 #include "cifs_spnego.h"
23 #include "smb2proto.h"
24 #include "fs_context.h"
25
26 static int
27 cifs_ses_add_channel(struct cifs_ses *ses,
28 struct cifs_server_iface *iface);
29
is_ses_using_iface(struct cifs_ses * ses,struct cifs_server_iface * iface)30 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface)
31 {
32 int i;
33
34 spin_lock(&ses->chan_lock);
35 for (i = 0; i < ses->chan_count; i++) {
36 if (ses->chans[i].iface == iface) {
37 spin_unlock(&ses->chan_lock);
38 return true;
39 }
40 }
41 spin_unlock(&ses->chan_lock);
42 return false;
43 }
44
45 /* channel helper functions. assumed that chan_lock is held by caller. */
46
47 int
cifs_ses_get_chan_index(struct cifs_ses * ses,struct TCP_Server_Info * server)48 cifs_ses_get_chan_index(struct cifs_ses *ses,
49 struct TCP_Server_Info *server)
50 {
51 unsigned int i;
52
53 /* if the channel is waiting for termination */
54 if (server && server->terminate)
55 return CIFS_INVAL_CHAN_INDEX;
56
57 for (i = 0; i < ses->chan_count; i++) {
58 if (ses->chans[i].server == server)
59 return i;
60 }
61
62 /* If we didn't find the channel, it is likely a bug */
63 if (server)
64 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx",
65 server->conn_id);
66 return CIFS_INVAL_CHAN_INDEX;
67 }
68
69 void
cifs_chan_set_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)70 cifs_chan_set_in_reconnect(struct cifs_ses *ses,
71 struct TCP_Server_Info *server)
72 {
73 int chan_index = cifs_ses_get_chan_index(ses, server);
74
75 if (chan_index == CIFS_INVAL_CHAN_INDEX)
76 return;
77
78 ses->chans[chan_index].in_reconnect = true;
79 }
80
81 void
cifs_chan_clear_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)82 cifs_chan_clear_in_reconnect(struct cifs_ses *ses,
83 struct TCP_Server_Info *server)
84 {
85 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
86
87 if (chan_index == CIFS_INVAL_CHAN_INDEX)
88 return;
89
90 ses->chans[chan_index].in_reconnect = false;
91 }
92
93 void
cifs_chan_set_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)94 cifs_chan_set_need_reconnect(struct cifs_ses *ses,
95 struct TCP_Server_Info *server)
96 {
97 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
98
99 if (chan_index == CIFS_INVAL_CHAN_INDEX)
100 return;
101
102 set_bit(chan_index, &ses->chans_need_reconnect);
103 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n",
104 chan_index, ses->chans_need_reconnect);
105 }
106
107 void
cifs_chan_clear_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)108 cifs_chan_clear_need_reconnect(struct cifs_ses *ses,
109 struct TCP_Server_Info *server)
110 {
111 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
112
113 if (chan_index == CIFS_INVAL_CHAN_INDEX)
114 return;
115
116 clear_bit(chan_index, &ses->chans_need_reconnect);
117 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n",
118 chan_index, ses->chans_need_reconnect);
119 }
120
121 bool
cifs_chan_needs_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)122 cifs_chan_needs_reconnect(struct cifs_ses *ses,
123 struct TCP_Server_Info *server)
124 {
125 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
126
127 if (chan_index == CIFS_INVAL_CHAN_INDEX)
128 return true; /* err on the safer side */
129
130 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index);
131 }
132
133 bool
cifs_chan_is_iface_active(struct cifs_ses * ses,struct TCP_Server_Info * server)134 cifs_chan_is_iface_active(struct cifs_ses *ses,
135 struct TCP_Server_Info *server)
136 {
137 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
138
139 if (chan_index == CIFS_INVAL_CHAN_INDEX)
140 return true; /* err on the safer side */
141
142 return ses->chans[chan_index].iface &&
143 ses->chans[chan_index].iface->is_active;
144 }
145
146 /* returns number of channels added */
cifs_try_adding_channels(struct cifs_ses * ses)147 int cifs_try_adding_channels(struct cifs_ses *ses)
148 {
149 struct TCP_Server_Info *server = ses->server;
150 int old_chan_count, new_chan_count;
151 int left;
152 int rc = 0;
153 int tries = 0;
154 size_t iface_weight = 0, iface_min_speed = 0;
155 struct cifs_server_iface *iface = NULL, *niface = NULL;
156 struct cifs_server_iface *last_iface = NULL;
157
158 spin_lock(&ses->chan_lock);
159
160 new_chan_count = old_chan_count = ses->chan_count;
161 left = ses->chan_max - ses->chan_count;
162
163 if (left <= 0) {
164 spin_unlock(&ses->chan_lock);
165 cifs_dbg(FYI,
166 "ses already at max_channels (%zu), nothing to open\n",
167 ses->chan_max);
168 return 0;
169 }
170
171 if (server->dialect < SMB30_PROT_ID) {
172 spin_unlock(&ses->chan_lock);
173 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
174 return 0;
175 }
176
177 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
178 spin_unlock(&ses->chan_lock);
179 cifs_server_dbg(VFS, "no multichannel support\n");
180 return 0;
181 }
182 spin_unlock(&ses->chan_lock);
183
184 while (left > 0) {
185
186 tries++;
187 if (tries > 3*ses->chan_max) {
188 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n",
189 left);
190 break;
191 }
192
193 spin_lock(&ses->iface_lock);
194 if (!ses->iface_count) {
195 spin_unlock(&ses->iface_lock);
196 cifs_dbg(ONCE, "server %s does not advertise interfaces\n",
197 ses->server->hostname);
198 break;
199 }
200
201 if (!iface)
202 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface,
203 iface_head);
204 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
205 iface_head);
206 iface_min_speed = last_iface->speed;
207
208 list_for_each_entry_safe_from(iface, niface, &ses->iface_list,
209 iface_head) {
210 /* do not mix rdma and non-rdma interfaces */
211 if (iface->rdma_capable != ses->server->rdma)
212 continue;
213
214 /* skip ifaces that are unusable */
215 if (!iface->is_active ||
216 (is_ses_using_iface(ses, iface) &&
217 !iface->rss_capable))
218 continue;
219
220 /* check if we already allocated enough channels */
221 iface_weight = iface->speed / iface_min_speed;
222
223 if (iface->weight_fulfilled >= iface_weight)
224 continue;
225
226 /* take ref before unlock */
227 kref_get(&iface->refcount);
228
229 spin_unlock(&ses->iface_lock);
230 rc = cifs_ses_add_channel(ses, iface);
231 spin_lock(&ses->iface_lock);
232
233 if (rc) {
234 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n",
235 &iface->sockaddr,
236 rc);
237 kref_put(&iface->refcount, release_iface);
238 /* failure to add chan should increase weight */
239 iface->weight_fulfilled++;
240 continue;
241 }
242
243 iface->num_channels++;
244 iface->weight_fulfilled++;
245 cifs_info("successfully opened new channel on iface:%pIS\n",
246 &iface->sockaddr);
247 break;
248 }
249
250 /* reached end of list. reset weight_fulfilled and start over */
251 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
252 list_for_each_entry(iface, &ses->iface_list, iface_head)
253 iface->weight_fulfilled = 0;
254 spin_unlock(&ses->iface_lock);
255 iface = NULL;
256 continue;
257 }
258 spin_unlock(&ses->iface_lock);
259
260 left--;
261 new_chan_count++;
262 }
263
264 return new_chan_count - old_chan_count;
265 }
266
267 /*
268 * cifs_decrease_secondary_channels - Reduce the number of active secondary channels
269 * @ses: pointer to the CIFS session structure
270 * @disable_mchan: if true, reduce to a single channel; if false, reduce to chan_max
271 *
272 * This function disables and cleans up extra secondary channels for a CIFS session.
273 * If called during reconfiguration, it reduces the channel count to the new maximum (chan_max).
274 * Otherwise, it disables all but the primary channel.
275 */
276 void
cifs_decrease_secondary_channels(struct cifs_ses * ses,bool disable_mchan)277 cifs_decrease_secondary_channels(struct cifs_ses *ses, bool disable_mchan)
278 {
279 int i, chan_count;
280 struct TCP_Server_Info *server;
281 struct cifs_server_iface *iface;
282
283 spin_lock(&ses->chan_lock);
284 chan_count = ses->chan_count;
285 if (chan_count == 1)
286 goto done;
287
288 /* Update the chan_count to the new maximum */
289 if (disable_mchan) {
290 cifs_dbg(FYI, "server does not support multichannel anymore.\n");
291 ses->chan_count = 1;
292 } else {
293 ses->chan_count = ses->chan_max;
294 }
295
296 /* Disable all secondary channels beyond the new chan_count */
297 for (i = ses->chan_count ; i < chan_count; i++) {
298 iface = ses->chans[i].iface;
299 server = ses->chans[i].server;
300
301 /*
302 * remove these references first, since we need to unlock
303 * the chan_lock here, since iface_lock is a higher lock
304 */
305 ses->chans[i].iface = NULL;
306 ses->chans[i].server = NULL;
307 spin_unlock(&ses->chan_lock);
308
309 if (iface) {
310 spin_lock(&ses->iface_lock);
311 iface->num_channels--;
312 if (iface->weight_fulfilled)
313 iface->weight_fulfilled--;
314 kref_put(&iface->refcount, release_iface);
315 spin_unlock(&ses->iface_lock);
316 }
317
318 if (server) {
319 if (!server->terminate) {
320 server->terminate = true;
321 cifs_signal_cifsd_for_reconnect(server, false);
322 }
323 cifs_put_tcp_session(server, false);
324 }
325
326 spin_lock(&ses->chan_lock);
327 }
328
329 /* For extra secondary channels, reset the need reconnect bit */
330 if (ses->chan_count == 1) {
331 cifs_dbg(VFS, "Disable all secondary channels\n");
332 ses->chans_need_reconnect &= 1;
333 } else {
334 cifs_dbg(VFS, "Disable extra secondary channels\n");
335 ses->chans_need_reconnect &= ((1UL << ses->chan_max) - 1);
336 }
337
338 done:
339 spin_unlock(&ses->chan_lock);
340 }
341
342 /* update the iface for the channel if necessary. */
343 void
cifs_chan_update_iface(struct cifs_ses * ses,struct TCP_Server_Info * server)344 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server)
345 {
346 unsigned int chan_index;
347 size_t iface_weight = 0, iface_min_speed = 0;
348 struct cifs_server_iface *iface = NULL;
349 struct cifs_server_iface *old_iface = NULL;
350 struct cifs_server_iface *last_iface = NULL;
351 struct sockaddr_storage ss;
352 int retry = 0;
353
354 spin_lock(&ses->chan_lock);
355 chan_index = cifs_ses_get_chan_index(ses, server);
356 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
357 spin_unlock(&ses->chan_lock);
358 return;
359 }
360
361 if (ses->chans[chan_index].iface) {
362 old_iface = ses->chans[chan_index].iface;
363 if (old_iface->is_active) {
364 spin_unlock(&ses->chan_lock);
365 return;
366 }
367 }
368 spin_unlock(&ses->chan_lock);
369
370 spin_lock(&server->srv_lock);
371 ss = server->dstaddr;
372 spin_unlock(&server->srv_lock);
373
374 spin_lock(&ses->iface_lock);
375 if (!ses->iface_count) {
376 spin_unlock(&ses->iface_lock);
377 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname);
378 return;
379 }
380
381 try_again:
382 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
383 iface_head);
384 iface_min_speed = last_iface->speed;
385
386 /* then look for a new one */
387 list_for_each_entry(iface, &ses->iface_list, iface_head) {
388 if (!chan_index) {
389 /* if we're trying to get the updated iface for primary channel */
390 if (!cifs_match_ipaddr((struct sockaddr *) &ss,
391 (struct sockaddr *) &iface->sockaddr))
392 continue;
393
394 kref_get(&iface->refcount);
395 break;
396 }
397
398 /* do not mix rdma and non-rdma interfaces */
399 if (iface->rdma_capable != server->rdma)
400 continue;
401
402 if (!iface->is_active ||
403 (is_ses_using_iface(ses, iface) &&
404 !iface->rss_capable)) {
405 continue;
406 }
407
408 /* check if we already allocated enough channels */
409 iface_weight = iface->speed / iface_min_speed;
410
411 if (iface->weight_fulfilled >= iface_weight)
412 continue;
413
414 kref_get(&iface->refcount);
415 break;
416 }
417
418 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
419 list_for_each_entry(iface, &ses->iface_list, iface_head)
420 iface->weight_fulfilled = 0;
421
422 /* see if it can be satisfied in second attempt */
423 if (!retry++)
424 goto try_again;
425
426 iface = NULL;
427 cifs_dbg(FYI, "unable to find a suitable iface\n");
428 }
429
430 if (!iface) {
431 if (!chan_index)
432 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n",
433 &ss);
434 else {
435 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n",
436 &old_iface->sockaddr);
437 }
438
439 spin_unlock(&ses->iface_lock);
440 return;
441 }
442
443 /* now drop the ref to the current iface */
444 if (old_iface) {
445 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
446 &old_iface->sockaddr,
447 &iface->sockaddr);
448
449 old_iface->num_channels--;
450 if (old_iface->weight_fulfilled)
451 old_iface->weight_fulfilled--;
452 iface->num_channels++;
453 iface->weight_fulfilled++;
454
455 kref_put(&old_iface->refcount, release_iface);
456 } else if (!chan_index) {
457 /* special case: update interface for primary channel */
458 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n",
459 &iface->sockaddr);
460 iface->num_channels++;
461 iface->weight_fulfilled++;
462 }
463 spin_unlock(&ses->iface_lock);
464
465 spin_lock(&ses->chan_lock);
466 chan_index = cifs_ses_get_chan_index(ses, server);
467 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
468 spin_unlock(&ses->chan_lock);
469 return;
470 }
471
472 ses->chans[chan_index].iface = iface;
473 spin_unlock(&ses->chan_lock);
474
475 spin_lock(&server->srv_lock);
476 memcpy(&server->dstaddr, &iface->sockaddr, sizeof(server->dstaddr));
477 spin_unlock(&server->srv_lock);
478 }
479
480 static int
cifs_ses_add_channel(struct cifs_ses * ses,struct cifs_server_iface * iface)481 cifs_ses_add_channel(struct cifs_ses *ses,
482 struct cifs_server_iface *iface)
483 {
484 struct TCP_Server_Info *chan_server;
485 struct cifs_chan *chan;
486 struct smb3_fs_context *ctx;
487 static const char unc_fmt[] = "\\%s\\foo";
488 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
489 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
490 size_t len;
491 int rc;
492 unsigned int xid = get_xid();
493
494 if (iface->sockaddr.ss_family == AF_INET)
495 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
496 ses, iface->speed, str_yes_no(iface->rdma_capable),
497 &ipv4->sin_addr);
498 else
499 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
500 ses, iface->speed, str_yes_no(iface->rdma_capable),
501 &ipv6->sin6_addr);
502
503 /*
504 * Setup a ctx with mostly the same info as the existing
505 * session and overwrite it with the requested iface data.
506 *
507 * We need to setup at least the fields used for negprot and
508 * sesssetup.
509 *
510 * We only need the ctx here, so we can reuse memory from
511 * the session and server without caring about memory
512 * management.
513 */
514 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
515 if (!ctx) {
516 rc = -ENOMEM;
517 goto out_free_xid;
518 }
519
520 /* Always make new connection for now (TODO?) */
521 ctx->nosharesock = true;
522
523 /* Auth */
524 ctx->domainauto = ses->domainAuto;
525 ctx->domainname = ses->domainName;
526
527 ctx->server_hostname = ses->server->hostname;
528
529 ctx->username = ses->user_name;
530 ctx->password = ses->password;
531 ctx->sectype = ses->sectype;
532 ctx->sign = ses->sign;
533 ctx->unicode = ses->unicode;
534
535 /* UNC and paths */
536 /* XXX: Use ses->server->hostname? */
537 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL;
538 ctx->UNC = kzalloc(len, GFP_KERNEL);
539 if (!ctx->UNC) {
540 rc = -ENOMEM;
541 goto out_free_ctx;
542 }
543 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr);
544 ctx->prepath = "";
545
546 /* Reuse same version as master connection */
547 ctx->vals = ses->server->vals;
548 ctx->ops = ses->server->ops;
549
550 ctx->noblocksnd = ses->server->noblocksnd;
551 ctx->noautotune = ses->server->noautotune;
552 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
553 ctx->echo_interval = ses->server->echo_interval / HZ;
554 ctx->max_credits = ses->server->max_credits;
555 ctx->min_offload = ses->server->min_offload;
556 ctx->compress = ses->server->compression.requested;
557 ctx->dfs_conn = ses->server->dfs_conn;
558 ctx->ignore_signature = ses->server->ignore_signature;
559 ctx->leaf_fullpath = ses->server->leaf_fullpath;
560 ctx->rootfs = ses->server->noblockcnt;
561 ctx->retrans = ses->server->retrans;
562
563 /*
564 * This will be used for encoding/decoding user/domain/pw
565 * during sess setup auth.
566 */
567 ctx->local_nls = ses->local_nls;
568
569 /* Use RDMA if possible */
570 ctx->rdma = iface->rdma_capable;
571 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr));
572
573 /* reuse master con client guid */
574 memcpy(&ctx->client_guid, ses->server->client_guid,
575 sizeof(ctx->client_guid));
576 ctx->use_client_guid = true;
577
578 chan_server = cifs_get_tcp_session(ctx, ses->server);
579
580 spin_lock(&ses->chan_lock);
581 chan = &ses->chans[ses->chan_count];
582 chan->server = chan_server;
583 if (IS_ERR(chan->server)) {
584 rc = PTR_ERR(chan->server);
585 chan->server = NULL;
586 spin_unlock(&ses->chan_lock);
587 goto out;
588 }
589 chan->iface = iface;
590 ses->chan_count++;
591 atomic_set(&ses->chan_seq, 0);
592
593 /* Mark this channel as needing connect/setup */
594 cifs_chan_set_need_reconnect(ses, chan->server);
595
596 spin_unlock(&ses->chan_lock);
597
598 mutex_lock(&ses->session_mutex);
599 /*
600 * We need to allocate the server crypto now as we will need
601 * to sign packets before we generate the channel signing key
602 * (we sign with the session key)
603 */
604 rc = smb3_crypto_shash_allocate(chan->server);
605 if (rc) {
606 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
607 mutex_unlock(&ses->session_mutex);
608 goto out;
609 }
610
611 rc = cifs_negotiate_protocol(xid, ses, chan->server);
612 if (!rc)
613 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls);
614
615 mutex_unlock(&ses->session_mutex);
616
617 out:
618 if (rc && chan->server) {
619 cifs_put_tcp_session(chan->server, 0);
620
621 spin_lock(&ses->chan_lock);
622
623 /* we rely on all bits beyond chan_count to be clear */
624 cifs_chan_clear_need_reconnect(ses, chan->server);
625 ses->chan_count--;
626 /*
627 * chan_count should never reach 0 as at least the primary
628 * channel is always allocated
629 */
630 WARN_ON(ses->chan_count < 1);
631 spin_unlock(&ses->chan_lock);
632 }
633
634 kfree(ctx->UNC);
635 out_free_ctx:
636 kfree(ctx);
637 out_free_xid:
638 free_xid(xid);
639 return rc;
640 }
641
642 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
cifs_ssetup_hdr(struct cifs_ses * ses,struct TCP_Server_Info * server,SESSION_SETUP_ANDX * pSMB)643 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
644 struct TCP_Server_Info *server,
645 SESSION_SETUP_ANDX *pSMB)
646 {
647 __u32 capabilities = 0;
648
649 /* init fields common to all four types of SessSetup */
650 /* Note that offsets for first seven fields in req struct are same */
651 /* in CIFS Specs so does not matter which of 3 forms of struct */
652 /* that we use in next few lines */
653 /* Note that header is initialized to zero in header_assemble */
654 pSMB->req.AndXCommand = 0xFF;
655 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
656 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
657 USHRT_MAX));
658 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);
659 pSMB->req.VcNumber = cpu_to_le16(1);
660 pSMB->req.SessionKey = server->session_key_id;
661
662 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
663
664 /* BB verify whether signing required on neg or just auth frame (and NTLM case) */
665
666 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
667 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
668
669 if (server->sign)
670 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
671
672 if (ses->capabilities & CAP_UNICODE) {
673 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
674 capabilities |= CAP_UNICODE;
675 }
676 if (ses->capabilities & CAP_STATUS32) {
677 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
678 capabilities |= CAP_STATUS32;
679 }
680 if (ses->capabilities & CAP_DFS) {
681 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
682 capabilities |= CAP_DFS;
683 }
684 if (ses->capabilities & CAP_UNIX)
685 capabilities |= CAP_UNIX;
686
687 return capabilities;
688 }
689
690 static void
unicode_oslm_strings(char ** pbcc_area,const struct nls_table * nls_cp)691 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
692 {
693 char *bcc_ptr = *pbcc_area;
694 int bytes_ret = 0;
695
696 /* Copy OS version */
697 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
698 nls_cp);
699 bcc_ptr += 2 * bytes_ret;
700 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
701 32, nls_cp);
702 bcc_ptr += 2 * bytes_ret;
703 bcc_ptr += 2; /* trailing null */
704
705 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
706 32, nls_cp);
707 bcc_ptr += 2 * bytes_ret;
708 bcc_ptr += 2; /* trailing null */
709
710 *pbcc_area = bcc_ptr;
711 }
712
713 static void
ascii_oslm_strings(char ** pbcc_area,const struct nls_table * nls_cp)714 ascii_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
715 {
716 char *bcc_ptr = *pbcc_area;
717
718 strcpy(bcc_ptr, "Linux version ");
719 bcc_ptr += strlen("Linux version ");
720 strcpy(bcc_ptr, init_utsname()->release);
721 bcc_ptr += strlen(init_utsname()->release) + 1;
722
723 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
724 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
725
726 *pbcc_area = bcc_ptr;
727 }
728
unicode_domain_string(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)729 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
730 const struct nls_table *nls_cp)
731 {
732 char *bcc_ptr = *pbcc_area;
733 int bytes_ret = 0;
734
735 /* copy domain */
736 if (ses->domainName == NULL) {
737 /*
738 * Sending null domain better than using a bogus domain name (as
739 * we did briefly in 2.6.18) since server will use its default
740 */
741 *bcc_ptr = 0;
742 *(bcc_ptr+1) = 0;
743 bytes_ret = 0;
744 } else
745 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
746 CIFS_MAX_DOMAINNAME_LEN, nls_cp);
747 bcc_ptr += 2 * bytes_ret;
748 bcc_ptr += 2; /* account for null terminator */
749
750 *pbcc_area = bcc_ptr;
751 }
752
ascii_domain_string(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)753 static void ascii_domain_string(char **pbcc_area, struct cifs_ses *ses,
754 const struct nls_table *nls_cp)
755 {
756 char *bcc_ptr = *pbcc_area;
757 int len;
758
759 /* copy domain */
760 if (ses->domainName != NULL) {
761 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
762 if (WARN_ON_ONCE(len < 0))
763 len = CIFS_MAX_DOMAINNAME_LEN - 1;
764 bcc_ptr += len;
765 } /* else we send a null domain name so server will default to its own domain */
766 *bcc_ptr = 0;
767 bcc_ptr++;
768
769 *pbcc_area = bcc_ptr;
770 }
771
unicode_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)772 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
773 const struct nls_table *nls_cp)
774 {
775 char *bcc_ptr = *pbcc_area;
776 int bytes_ret = 0;
777
778 /* BB FIXME add check that strings less than 335 or will need to send as arrays */
779
780 /* copy user */
781 if (ses->user_name == NULL) {
782 /* null user mount */
783 *bcc_ptr = 0;
784 *(bcc_ptr+1) = 0;
785 } else {
786 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
787 CIFS_MAX_USERNAME_LEN, nls_cp);
788 }
789 bcc_ptr += 2 * bytes_ret;
790 bcc_ptr += 2; /* account for null termination */
791
792 unicode_domain_string(&bcc_ptr, ses, nls_cp);
793 unicode_oslm_strings(&bcc_ptr, nls_cp);
794
795 *pbcc_area = bcc_ptr;
796 }
797
ascii_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)798 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
799 const struct nls_table *nls_cp)
800 {
801 char *bcc_ptr = *pbcc_area;
802 int len;
803
804 /* copy user */
805 /* BB what about null user mounts - check that we do this BB */
806 /* copy user */
807 if (ses->user_name != NULL) {
808 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
809 if (WARN_ON_ONCE(len < 0))
810 len = CIFS_MAX_USERNAME_LEN - 1;
811 bcc_ptr += len;
812 }
813 /* else null user mount */
814 *bcc_ptr = 0;
815 bcc_ptr++; /* account for null termination */
816
817 /* BB check for overflow here */
818
819 ascii_domain_string(&bcc_ptr, ses, nls_cp);
820 ascii_oslm_strings(&bcc_ptr, nls_cp);
821
822 *pbcc_area = bcc_ptr;
823 }
824
825 static void
decode_unicode_ssetup(char ** pbcc_area,int bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)826 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
827 const struct nls_table *nls_cp)
828 {
829 int len;
830 char *data = *pbcc_area;
831
832 cifs_dbg(FYI, "bleft %d\n", bleft);
833
834 kfree(ses->serverOS);
835 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
836 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
837 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
838 data += len;
839 bleft -= len;
840 if (bleft <= 0)
841 return;
842
843 kfree(ses->serverNOS);
844 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
845 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
846 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
847 data += len;
848 bleft -= len;
849 if (bleft <= 0)
850 return;
851
852 kfree(ses->serverDomain);
853 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
854 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
855
856 return;
857 }
858
decode_ascii_ssetup(char ** pbcc_area,__u16 bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)859 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
860 struct cifs_ses *ses,
861 const struct nls_table *nls_cp)
862 {
863 int len;
864 char *bcc_ptr = *pbcc_area;
865
866 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
867
868 len = strnlen(bcc_ptr, bleft);
869 if (len >= bleft)
870 return;
871
872 kfree(ses->serverOS);
873
874 ses->serverOS = kmalloc(len + 1, GFP_KERNEL);
875 if (ses->serverOS) {
876 memcpy(ses->serverOS, bcc_ptr, len);
877 ses->serverOS[len] = 0;
878 if (strncmp(ses->serverOS, "OS/2", 4) == 0)
879 cifs_dbg(FYI, "OS/2 server\n");
880 }
881
882 bcc_ptr += len + 1;
883 bleft -= len + 1;
884
885 len = strnlen(bcc_ptr, bleft);
886 if (len >= bleft)
887 return;
888
889 kfree(ses->serverNOS);
890
891 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL);
892 if (ses->serverNOS) {
893 memcpy(ses->serverNOS, bcc_ptr, len);
894 ses->serverNOS[len] = 0;
895 }
896
897 bcc_ptr += len + 1;
898 bleft -= len + 1;
899
900 len = strnlen(bcc_ptr, bleft);
901 if (len > bleft)
902 return;
903
904 /*
905 * No domain field in LANMAN case. Domain is
906 * returned by old servers in the SMB negprot response
907 *
908 * BB For newer servers which do not support Unicode,
909 * but thus do return domain here, we could add parsing
910 * for it later, but it is not very important
911 */
912 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
913 }
914 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
915
decode_ntlmssp_challenge(char * bcc_ptr,int blob_len,struct cifs_ses * ses)916 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
917 struct cifs_ses *ses)
918 {
919 unsigned int tioffset; /* challenge message target info area */
920 unsigned int tilen; /* challenge message target info area length */
921 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
922 __u32 server_flags;
923
924 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
925 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
926 return -EINVAL;
927 }
928
929 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
930 cifs_dbg(VFS, "blob signature incorrect %s\n",
931 pblob->Signature);
932 return -EINVAL;
933 }
934 if (pblob->MessageType != NtLmChallenge) {
935 cifs_dbg(VFS, "Incorrect message type %d\n",
936 pblob->MessageType);
937 return -EINVAL;
938 }
939
940 server_flags = le32_to_cpu(pblob->NegotiateFlags);
941 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__,
942 ses->ntlmssp->client_flags, server_flags);
943
944 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) &&
945 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) {
946 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n",
947 __func__);
948 return -EINVAL;
949 }
950 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) {
951 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__);
952 return -EINVAL;
953 }
954 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) {
955 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n",
956 __func__);
957 return -EOPNOTSUPP;
958 }
959 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
960 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH))
961 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n",
962 __func__);
963
964 ses->ntlmssp->server_flags = server_flags;
965
966 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
967 /*
968 * In particular we can examine sign flags
969 *
970 * BB spec says that if AvId field of MsvAvTimestamp is populated then
971 * we must set the MIC field of the AUTHENTICATE_MESSAGE
972 */
973
974 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
975 tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
976 if (tioffset > blob_len || tioffset + tilen > blob_len) {
977 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
978 tioffset, tilen);
979 return -EINVAL;
980 }
981 if (tilen) {
982 kfree_sensitive(ses->auth_key.response);
983 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
984 GFP_KERNEL);
985 if (!ses->auth_key.response) {
986 cifs_dbg(VFS, "Challenge target info alloc failure\n");
987 return -ENOMEM;
988 }
989 ses->auth_key.len = tilen;
990 }
991
992 return 0;
993 }
994
size_of_ntlmssp_blob(struct cifs_ses * ses,int base_size)995 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size)
996 {
997 int sz = base_size + ses->auth_key.len
998 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
999
1000 if (ses->domainName)
1001 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
1002 else
1003 sz += sizeof(__le16);
1004
1005 if (ses->user_name)
1006 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
1007 else
1008 sz += sizeof(__le16);
1009
1010 if (ses->workstation_name[0])
1011 sz += sizeof(__le16) * strnlen(ses->workstation_name,
1012 ntlmssp_workstation_name_size(ses));
1013 else
1014 sz += sizeof(__le16);
1015
1016 return sz;
1017 }
1018
cifs_security_buffer_from_str(SECURITY_BUFFER * pbuf,char * str_value,int str_length,unsigned char * pstart,unsigned char ** pcur,const struct nls_table * nls_cp)1019 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf,
1020 char *str_value,
1021 int str_length,
1022 unsigned char *pstart,
1023 unsigned char **pcur,
1024 const struct nls_table *nls_cp)
1025 {
1026 unsigned char *tmp = pstart;
1027 int len;
1028
1029 if (!pbuf)
1030 return;
1031
1032 if (!pcur)
1033 pcur = &tmp;
1034
1035 if (!str_value) {
1036 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1037 pbuf->Length = 0;
1038 pbuf->MaximumLength = 0;
1039 *pcur += sizeof(__le16);
1040 } else {
1041 len = cifs_strtoUTF16((__le16 *)*pcur,
1042 str_value,
1043 str_length,
1044 nls_cp);
1045 len *= sizeof(__le16);
1046 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1047 pbuf->Length = cpu_to_le16(len);
1048 pbuf->MaximumLength = cpu_to_le16(len);
1049 *pcur += len;
1050 }
1051 }
1052
1053 /* BB Move to ntlmssp.c eventually */
1054
build_ntlmssp_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1055 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer,
1056 u16 *buflen,
1057 struct cifs_ses *ses,
1058 struct TCP_Server_Info *server,
1059 const struct nls_table *nls_cp)
1060 {
1061 int rc = 0;
1062 NEGOTIATE_MESSAGE *sec_blob;
1063 __u32 flags;
1064 unsigned char *tmp;
1065 int len;
1066
1067 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE));
1068 *pbuffer = kmalloc(len, GFP_KERNEL);
1069 if (!*pbuffer) {
1070 rc = -ENOMEM;
1071 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1072 *buflen = 0;
1073 goto setup_ntlm_neg_ret;
1074 }
1075 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer;
1076
1077 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
1078 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1079 sec_blob->MessageType = NtLmNegotiate;
1080
1081 /* BB is NTLMV2 session security format easier to use here? */
1082 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
1083 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1084 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1085 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1086 NTLMSSP_NEGOTIATE_SIGN;
1087 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1088 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1089
1090 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE);
1091 ses->ntlmssp->client_flags = flags;
1092 sec_blob->NegotiateFlags = cpu_to_le32(flags);
1093
1094 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1095 cifs_security_buffer_from_str(&sec_blob->DomainName,
1096 NULL,
1097 CIFS_MAX_DOMAINNAME_LEN,
1098 *pbuffer, &tmp,
1099 nls_cp);
1100
1101 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1102 NULL,
1103 CIFS_MAX_WORKSTATION_LEN,
1104 *pbuffer, &tmp,
1105 nls_cp);
1106
1107 *buflen = tmp - *pbuffer;
1108 setup_ntlm_neg_ret:
1109 return rc;
1110 }
1111
1112 /*
1113 * Build ntlmssp blob with additional fields, such as version,
1114 * supported by modern servers. For safety limit to SMB3 or later
1115 * See notes in MS-NLMP Section 2.2.2.1 e.g.
1116 */
build_ntlmssp_smb3_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1117 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
1118 u16 *buflen,
1119 struct cifs_ses *ses,
1120 struct TCP_Server_Info *server,
1121 const struct nls_table *nls_cp)
1122 {
1123 int rc = 0;
1124 struct negotiate_message *sec_blob;
1125 __u32 flags;
1126 unsigned char *tmp;
1127 int len;
1128
1129 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message));
1130 *pbuffer = kmalloc(len, GFP_KERNEL);
1131 if (!*pbuffer) {
1132 rc = -ENOMEM;
1133 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1134 *buflen = 0;
1135 goto setup_ntlm_smb3_neg_ret;
1136 }
1137 sec_blob = (struct negotiate_message *)*pbuffer;
1138
1139 memset(*pbuffer, 0, sizeof(struct negotiate_message));
1140 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1141 sec_blob->MessageType = NtLmNegotiate;
1142
1143 /* BB is NTLMV2 session security format easier to use here? */
1144 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
1145 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1146 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1147 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1148 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION;
1149 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1150 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1151
1152 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1153 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1154 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1155 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1156
1157 tmp = *pbuffer + sizeof(struct negotiate_message);
1158 ses->ntlmssp->client_flags = flags;
1159 sec_blob->NegotiateFlags = cpu_to_le32(flags);
1160
1161 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1162 cifs_security_buffer_from_str(&sec_blob->DomainName,
1163 NULL,
1164 CIFS_MAX_DOMAINNAME_LEN,
1165 *pbuffer, &tmp,
1166 nls_cp);
1167
1168 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1169 NULL,
1170 CIFS_MAX_WORKSTATION_LEN,
1171 *pbuffer, &tmp,
1172 nls_cp);
1173
1174 *buflen = tmp - *pbuffer;
1175 setup_ntlm_smb3_neg_ret:
1176 return rc;
1177 }
1178
1179
1180 /* See MS-NLMP 2.2.1.3 */
build_ntlmssp_auth_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1181 int build_ntlmssp_auth_blob(unsigned char **pbuffer,
1182 u16 *buflen,
1183 struct cifs_ses *ses,
1184 struct TCP_Server_Info *server,
1185 const struct nls_table *nls_cp)
1186 {
1187 int rc;
1188 AUTHENTICATE_MESSAGE *sec_blob;
1189 __u32 flags;
1190 unsigned char *tmp;
1191 int len;
1192
1193 rc = setup_ntlmv2_rsp(ses, nls_cp);
1194 if (rc) {
1195 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
1196 *buflen = 0;
1197 goto setup_ntlmv2_ret;
1198 }
1199
1200 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE));
1201 *pbuffer = kmalloc(len, GFP_KERNEL);
1202 if (!*pbuffer) {
1203 rc = -ENOMEM;
1204 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1205 *buflen = 0;
1206 goto setup_ntlmv2_ret;
1207 }
1208 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
1209
1210 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1211 sec_blob->MessageType = NtLmAuthenticate;
1212
1213 /* send version information in ntlmssp authenticate also */
1214 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET |
1215 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION |
1216 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
1217
1218 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1219 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1220 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1221 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1222
1223 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
1224 sec_blob->NegotiateFlags = cpu_to_le32(flags);
1225
1226 sec_blob->LmChallengeResponse.BufferOffset =
1227 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
1228 sec_blob->LmChallengeResponse.Length = 0;
1229 sec_blob->LmChallengeResponse.MaximumLength = 0;
1230
1231 sec_blob->NtChallengeResponse.BufferOffset =
1232 cpu_to_le32(tmp - *pbuffer);
1233 if (ses->user_name != NULL) {
1234 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1235 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1236 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1237
1238 sec_blob->NtChallengeResponse.Length =
1239 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1240 sec_blob->NtChallengeResponse.MaximumLength =
1241 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1242 } else {
1243 /*
1244 * don't send an NT Response for anonymous access
1245 */
1246 sec_blob->NtChallengeResponse.Length = 0;
1247 sec_blob->NtChallengeResponse.MaximumLength = 0;
1248 }
1249
1250 cifs_security_buffer_from_str(&sec_blob->DomainName,
1251 ses->domainName,
1252 CIFS_MAX_DOMAINNAME_LEN,
1253 *pbuffer, &tmp,
1254 nls_cp);
1255
1256 cifs_security_buffer_from_str(&sec_blob->UserName,
1257 ses->user_name,
1258 CIFS_MAX_USERNAME_LEN,
1259 *pbuffer, &tmp,
1260 nls_cp);
1261
1262 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1263 ses->workstation_name,
1264 ntlmssp_workstation_name_size(ses),
1265 *pbuffer, &tmp,
1266 nls_cp);
1267
1268 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
1269 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) &&
1270 !calc_seckey(ses)) {
1271 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
1272 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1273 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
1274 sec_blob->SessionKey.MaximumLength =
1275 cpu_to_le16(CIFS_CPHTXT_SIZE);
1276 tmp += CIFS_CPHTXT_SIZE;
1277 } else {
1278 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1279 sec_blob->SessionKey.Length = 0;
1280 sec_blob->SessionKey.MaximumLength = 0;
1281 }
1282
1283 *buflen = tmp - *pbuffer;
1284 setup_ntlmv2_ret:
1285 return rc;
1286 }
1287
1288 enum securityEnum
cifs_select_sectype(struct TCP_Server_Info * server,enum securityEnum requested)1289 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
1290 {
1291 switch (server->negflavor) {
1292 case CIFS_NEGFLAVOR_EXTENDED:
1293 switch (requested) {
1294 case Kerberos:
1295 case RawNTLMSSP:
1296 case IAKerb:
1297 return requested;
1298 case Unspecified:
1299 if (server->sec_ntlmssp &&
1300 (global_secflags & CIFSSEC_MAY_NTLMSSP))
1301 return RawNTLMSSP;
1302 if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) &&
1303 (global_secflags & CIFSSEC_MAY_KRB5))
1304 return Kerberos;
1305 fallthrough;
1306 default:
1307 return Unspecified;
1308 }
1309 case CIFS_NEGFLAVOR_UNENCAP:
1310 switch (requested) {
1311 case NTLMv2:
1312 return requested;
1313 case Unspecified:
1314 if (global_secflags & CIFSSEC_MAY_NTLMV2)
1315 return NTLMv2;
1316 break;
1317 default:
1318 break;
1319 }
1320 fallthrough;
1321 default:
1322 return Unspecified;
1323 }
1324 }
1325
1326 struct sess_data {
1327 unsigned int xid;
1328 struct cifs_ses *ses;
1329 struct TCP_Server_Info *server;
1330 struct nls_table *nls_cp;
1331 void (*func)(struct sess_data *);
1332 int result;
1333 unsigned int in_len;
1334
1335 /* we will send the SMB in three pieces:
1336 * a fixed length beginning part, an optional
1337 * SPNEGO blob (which can be zero length), and a
1338 * last part which will include the strings
1339 * and rest of bcc area. This allows us to avoid
1340 * a large buffer 17K allocation
1341 */
1342 int buf0_type;
1343 struct kvec iov[3];
1344 };
1345
1346 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
1347 static int
sess_alloc_buffer(struct sess_data * sess_data,int wct)1348 sess_alloc_buffer(struct sess_data *sess_data, int wct)
1349 {
1350 int rc;
1351 struct cifs_ses *ses = sess_data->ses;
1352 struct smb_hdr *smb_buf;
1353
1354 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
1355 (void **)&smb_buf);
1356
1357 if (rc < 0)
1358 return rc;
1359
1360 sess_data->in_len = rc;
1361 sess_data->iov[0].iov_base = (char *)smb_buf;
1362 sess_data->iov[0].iov_len = sess_data->in_len;
1363 /*
1364 * This variable will be used to clear the buffer
1365 * allocated above in case of any error in the calling function.
1366 */
1367 sess_data->buf0_type = CIFS_SMALL_BUFFER;
1368
1369 /* 2000 big enough to fit max user, domain, NOS name etc. */
1370 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL);
1371 if (!sess_data->iov[2].iov_base) {
1372 rc = -ENOMEM;
1373 goto out_free_smb_buf;
1374 }
1375
1376 return 0;
1377
1378 out_free_smb_buf:
1379 cifs_small_buf_release(smb_buf);
1380 sess_data->iov[0].iov_base = NULL;
1381 sess_data->iov[0].iov_len = 0;
1382 sess_data->buf0_type = CIFS_NO_BUFFER;
1383 return rc;
1384 }
1385
1386 static void
sess_free_buffer(struct sess_data * sess_data)1387 sess_free_buffer(struct sess_data *sess_data)
1388 {
1389 struct kvec *iov = sess_data->iov;
1390
1391 /*
1392 * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
1393 * Note that iov[1] is already freed by caller.
1394 */
1395 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
1396 memzero_explicit(iov[0].iov_base, iov[0].iov_len);
1397
1398 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
1399 sess_data->buf0_type = CIFS_NO_BUFFER;
1400 kfree_sensitive(iov[2].iov_base);
1401 }
1402
1403 static int
sess_establish_session(struct sess_data * sess_data)1404 sess_establish_session(struct sess_data *sess_data)
1405 {
1406 struct cifs_ses *ses = sess_data->ses;
1407 struct TCP_Server_Info *server = sess_data->server;
1408
1409 cifs_server_lock(server);
1410 if (!server->session_estab) {
1411 if (server->sign) {
1412 server->session_key.response =
1413 kmemdup(ses->auth_key.response,
1414 ses->auth_key.len, GFP_KERNEL);
1415 if (!server->session_key.response) {
1416 cifs_server_unlock(server);
1417 return -ENOMEM;
1418 }
1419 server->session_key.len =
1420 ses->auth_key.len;
1421 }
1422 server->sequence_number = 0x2;
1423 server->session_estab = true;
1424 }
1425 cifs_server_unlock(server);
1426
1427 cifs_dbg(FYI, "CIFS session established successfully\n");
1428 return 0;
1429 }
1430
1431 static int
sess_sendreceive(struct sess_data * sess_data)1432 sess_sendreceive(struct sess_data *sess_data)
1433 {
1434 int rc;
1435 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base;
1436 __u16 count;
1437 struct kvec rsp_iov = { NULL, 0 };
1438
1439 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len;
1440 sess_data->in_len += count;
1441 put_bcc(count, smb_buf);
1442
1443 rc = SendReceive2(sess_data->xid, sess_data->ses,
1444 sess_data->iov, 3 /* num_iovecs */,
1445 &sess_data->buf0_type,
1446 CIFS_LOG_ERROR, &rsp_iov);
1447 cifs_small_buf_release(sess_data->iov[0].iov_base);
1448 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec));
1449
1450 return rc;
1451 }
1452
1453 static void
sess_auth_ntlmv2(struct sess_data * sess_data)1454 sess_auth_ntlmv2(struct sess_data *sess_data)
1455 {
1456 int rc = 0;
1457 struct smb_hdr *smb_buf;
1458 SESSION_SETUP_ANDX *pSMB;
1459 char *bcc_ptr;
1460 struct cifs_ses *ses = sess_data->ses;
1461 struct TCP_Server_Info *server = sess_data->server;
1462 __u32 capabilities;
1463 __u16 bytes_remaining;
1464
1465 /* old style NTLM sessionsetup */
1466 /* wct = 13 */
1467 rc = sess_alloc_buffer(sess_data, 13);
1468 if (rc)
1469 goto out;
1470
1471 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1472 bcc_ptr = sess_data->iov[2].iov_base;
1473 capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1474
1475 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1476
1477 /* LM2 password would be here if we supported it */
1478 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
1479
1480 if (ses->user_name != NULL) {
1481 /* calculate nlmv2 response and session key */
1482 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
1483 if (rc) {
1484 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
1485 goto out;
1486 }
1487
1488 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1489 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1490 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1491
1492 /* set case sensitive password length after tilen may get
1493 * assigned, tilen is 0 otherwise.
1494 */
1495 pSMB->req_no_secext.CaseSensitivePasswordLength =
1496 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1497 } else {
1498 pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
1499 }
1500
1501 if (ses->capabilities & CAP_UNICODE) {
1502 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) {
1503 *bcc_ptr = 0;
1504 bcc_ptr++;
1505 }
1506 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1507 } else {
1508 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1509 }
1510
1511
1512 sess_data->iov[2].iov_len = (long) bcc_ptr -
1513 (long) sess_data->iov[2].iov_base;
1514
1515 rc = sess_sendreceive(sess_data);
1516 if (rc)
1517 goto out;
1518
1519 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1520 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1521
1522 if (smb_buf->WordCount != 3) {
1523 rc = smb_EIO1(smb_eio_trace_sess_nl2_wcc, smb_buf->WordCount);
1524 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1525 goto out;
1526 }
1527
1528 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1529 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1530
1531 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
1532 cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1533
1534 bytes_remaining = get_bcc(smb_buf);
1535 bcc_ptr = pByteArea(smb_buf);
1536
1537 /* BB check if Unicode and decode strings */
1538 if (bytes_remaining == 0) {
1539 /* no string area to decode, do nothing */
1540 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1541 /* unicode string area must be word-aligned */
1542 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1543 ++bcc_ptr;
1544 --bytes_remaining;
1545 }
1546 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1547 sess_data->nls_cp);
1548 } else {
1549 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1550 sess_data->nls_cp);
1551 }
1552
1553 rc = sess_establish_session(sess_data);
1554 out:
1555 sess_data->result = rc;
1556 sess_data->func = NULL;
1557 sess_free_buffer(sess_data);
1558 kfree_sensitive(ses->auth_key.response);
1559 ses->auth_key.response = NULL;
1560 }
1561
1562 #ifdef CONFIG_CIFS_UPCALL
1563 static void
sess_auth_kerberos(struct sess_data * sess_data)1564 sess_auth_kerberos(struct sess_data *sess_data)
1565 {
1566 int rc = 0;
1567 struct smb_hdr *smb_buf;
1568 SESSION_SETUP_ANDX *pSMB;
1569 char *bcc_ptr;
1570 struct cifs_ses *ses = sess_data->ses;
1571 struct TCP_Server_Info *server = sess_data->server;
1572 __u32 capabilities;
1573 __u16 bytes_remaining;
1574 struct key *spnego_key = NULL;
1575 struct cifs_spnego_msg *msg;
1576 u16 blob_len;
1577
1578 /* extended security */
1579 /* wct = 12 */
1580 rc = sess_alloc_buffer(sess_data, 12);
1581 if (rc)
1582 goto out;
1583
1584 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1585 bcc_ptr = sess_data->iov[2].iov_base;
1586 capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1587
1588 spnego_key = cifs_get_spnego_key(ses, server);
1589 if (IS_ERR(spnego_key)) {
1590 rc = PTR_ERR(spnego_key);
1591 spnego_key = NULL;
1592 goto out;
1593 }
1594
1595 msg = spnego_key->payload.data[0];
1596 /*
1597 * check version field to make sure that cifs.upcall is
1598 * sending us a response in an expected form
1599 */
1600 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
1601 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n",
1602 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1603 rc = -EKEYREJECTED;
1604 goto out_put_spnego_key;
1605 }
1606
1607 kfree_sensitive(ses->auth_key.response);
1608 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1609 GFP_KERNEL);
1610 if (!ses->auth_key.response) {
1611 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
1612 msg->sesskey_len);
1613 rc = -ENOMEM;
1614 goto out_put_spnego_key;
1615 }
1616 ses->auth_key.len = msg->sesskey_len;
1617
1618 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1619 capabilities |= CAP_EXTENDED_SECURITY;
1620 pSMB->req.Capabilities = cpu_to_le32(capabilities);
1621 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
1622 sess_data->iov[1].iov_len = msg->secblob_len;
1623 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
1624
1625 if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {
1626 /* unicode strings must be word aligned */
1627 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1628 *bcc_ptr = 0;
1629 bcc_ptr++;
1630 }
1631 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1632 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1633 } else {
1634 ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1635 ascii_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1636 }
1637
1638 sess_data->iov[2].iov_len = (long) bcc_ptr -
1639 (long) sess_data->iov[2].iov_base;
1640
1641 rc = sess_sendreceive(sess_data);
1642 if (rc)
1643 goto out_put_spnego_key;
1644
1645 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1646 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1647
1648 if (smb_buf->WordCount != 4) {
1649 rc = smb_EIO1(smb_eio_trace_sess_krb_wcc, smb_buf->WordCount);
1650 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1651 goto out_put_spnego_key;
1652 }
1653
1654 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1655 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1656
1657 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
1658 cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1659
1660 bytes_remaining = get_bcc(smb_buf);
1661 bcc_ptr = pByteArea(smb_buf);
1662
1663 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1664 if (blob_len > bytes_remaining) {
1665 cifs_dbg(VFS, "bad security blob length %d\n",
1666 blob_len);
1667 rc = -EINVAL;
1668 goto out_put_spnego_key;
1669 }
1670 bcc_ptr += blob_len;
1671 bytes_remaining -= blob_len;
1672
1673 /* BB check if Unicode and decode strings */
1674 if (bytes_remaining == 0) {
1675 /* no string area to decode, do nothing */
1676 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1677 /* unicode string area must be word-aligned */
1678 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1679 ++bcc_ptr;
1680 --bytes_remaining;
1681 }
1682 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1683 sess_data->nls_cp);
1684 } else {
1685 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1686 sess_data->nls_cp);
1687 }
1688
1689 rc = sess_establish_session(sess_data);
1690 out_put_spnego_key:
1691 key_invalidate(spnego_key);
1692 key_put(spnego_key);
1693 out:
1694 sess_data->result = rc;
1695 sess_data->func = NULL;
1696 sess_free_buffer(sess_data);
1697 kfree_sensitive(ses->auth_key.response);
1698 ses->auth_key.response = NULL;
1699 }
1700
1701 #endif /* ! CONFIG_CIFS_UPCALL */
1702
1703 /*
1704 * The required kvec buffers have to be allocated before calling this
1705 * function.
1706 */
1707 static int
_sess_auth_rawntlmssp_assemble_req(struct sess_data * sess_data)1708 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1709 {
1710 SESSION_SETUP_ANDX *pSMB;
1711 struct cifs_ses *ses = sess_data->ses;
1712 struct TCP_Server_Info *server = sess_data->server;
1713 __u32 capabilities;
1714 char *bcc_ptr;
1715
1716 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1717
1718 capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1719 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1720 capabilities |= CAP_EXTENDED_SECURITY;
1721 pSMB->req.Capabilities |= cpu_to_le32(capabilities);
1722
1723 bcc_ptr = sess_data->iov[2].iov_base;
1724
1725 if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {
1726 /* unicode strings must be word aligned */
1727 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1728 *bcc_ptr = 0;
1729 bcc_ptr++;
1730 }
1731 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1732 } else {
1733 ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1734 }
1735
1736 sess_data->iov[2].iov_len = (long) bcc_ptr -
1737 (long) sess_data->iov[2].iov_base;
1738
1739 return 0;
1740 }
1741
1742 static void
1743 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1744
1745 static void
sess_auth_rawntlmssp_negotiate(struct sess_data * sess_data)1746 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1747 {
1748 int rc;
1749 struct smb_hdr *smb_buf;
1750 SESSION_SETUP_ANDX *pSMB;
1751 struct cifs_ses *ses = sess_data->ses;
1752 struct TCP_Server_Info *server = sess_data->server;
1753 __u16 bytes_remaining;
1754 char *bcc_ptr;
1755 unsigned char *ntlmsspblob = NULL;
1756 u16 blob_len;
1757
1758 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1759
1760 /*
1761 * if memory allocation is successful, caller of this function
1762 * frees it.
1763 */
1764 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1765 if (!ses->ntlmssp) {
1766 rc = -ENOMEM;
1767 goto out;
1768 }
1769 ses->ntlmssp->sesskey_per_smbsess = false;
1770
1771 /* wct = 12 */
1772 rc = sess_alloc_buffer(sess_data, 12);
1773 if (rc)
1774 goto out;
1775
1776 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1777
1778 /* Build security blob before we assemble the request */
1779 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob,
1780 &blob_len, ses, server,
1781 sess_data->nls_cp);
1782 if (rc)
1783 goto out_free_ntlmsspblob;
1784
1785 sess_data->iov[1].iov_len = blob_len;
1786 sess_data->iov[1].iov_base = ntlmsspblob;
1787 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1788
1789 rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1790 if (rc)
1791 goto out_free_ntlmsspblob;
1792
1793 rc = sess_sendreceive(sess_data);
1794
1795 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1796 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1797
1798 /* If true, rc here is expected and not an error */
1799 if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1800 smb_buf->Status.CifsError ==
1801 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1802 rc = 0;
1803
1804 if (rc)
1805 goto out_free_ntlmsspblob;
1806
1807 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1808
1809 if (smb_buf->WordCount != 4) {
1810 rc = smb_EIO1(smb_eio_trace_sess_rawnl_neg_wcc, smb_buf->WordCount);
1811 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1812 goto out_free_ntlmsspblob;
1813 }
1814
1815 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
1816 cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1817
1818 bytes_remaining = get_bcc(smb_buf);
1819 bcc_ptr = pByteArea(smb_buf);
1820
1821 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1822 if (blob_len > bytes_remaining) {
1823 cifs_dbg(VFS, "bad security blob length %d\n",
1824 blob_len);
1825 rc = -EINVAL;
1826 goto out_free_ntlmsspblob;
1827 }
1828
1829 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1830
1831 out_free_ntlmsspblob:
1832 kfree_sensitive(ntlmsspblob);
1833 out:
1834 sess_free_buffer(sess_data);
1835
1836 if (!rc) {
1837 sess_data->func = sess_auth_rawntlmssp_authenticate;
1838 return;
1839 }
1840
1841 /* Else error. Cleanup */
1842 kfree_sensitive(ses->auth_key.response);
1843 ses->auth_key.response = NULL;
1844 kfree_sensitive(ses->ntlmssp);
1845 ses->ntlmssp = NULL;
1846
1847 sess_data->func = NULL;
1848 sess_data->result = rc;
1849 }
1850
1851 static void
sess_auth_rawntlmssp_authenticate(struct sess_data * sess_data)1852 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1853 {
1854 int rc;
1855 struct smb_hdr *smb_buf;
1856 SESSION_SETUP_ANDX *pSMB;
1857 struct cifs_ses *ses = sess_data->ses;
1858 struct TCP_Server_Info *server = sess_data->server;
1859 __u16 bytes_remaining;
1860 char *bcc_ptr;
1861 unsigned char *ntlmsspblob = NULL;
1862 u16 blob_len;
1863
1864 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1865
1866 /* wct = 12 */
1867 rc = sess_alloc_buffer(sess_data, 12);
1868 if (rc)
1869 goto out;
1870
1871 /* Build security blob before we assemble the request */
1872 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1873 smb_buf = (struct smb_hdr *)pSMB;
1874 rc = build_ntlmssp_auth_blob(&ntlmsspblob,
1875 &blob_len, ses, server,
1876 sess_data->nls_cp);
1877 if (rc)
1878 goto out_free_ntlmsspblob;
1879 sess_data->iov[1].iov_len = blob_len;
1880 sess_data->iov[1].iov_base = ntlmsspblob;
1881 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1882 /*
1883 * Make sure that we tell the server that we are using
1884 * the uid that it just gave us back on the response
1885 * (challenge)
1886 */
1887 smb_buf->Uid = ses->Suid;
1888
1889 rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1890 if (rc)
1891 goto out_free_ntlmsspblob;
1892
1893 rc = sess_sendreceive(sess_data);
1894 if (rc)
1895 goto out_free_ntlmsspblob;
1896
1897 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1898 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1899 if (smb_buf->WordCount != 4) {
1900 rc = smb_EIO1(smb_eio_trace_sess_rawnl_auth_wcc, smb_buf->WordCount);
1901 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1902 goto out_free_ntlmsspblob;
1903 }
1904
1905 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1906 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1907
1908 if (ses->Suid != smb_buf->Uid) {
1909 ses->Suid = smb_buf->Uid;
1910 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1911 }
1912
1913 bytes_remaining = get_bcc(smb_buf);
1914 bcc_ptr = pByteArea(smb_buf);
1915 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1916 if (blob_len > bytes_remaining) {
1917 cifs_dbg(VFS, "bad security blob length %d\n",
1918 blob_len);
1919 rc = -EINVAL;
1920 goto out_free_ntlmsspblob;
1921 }
1922 bcc_ptr += blob_len;
1923 bytes_remaining -= blob_len;
1924
1925
1926 /* BB check if Unicode and decode strings */
1927 if (bytes_remaining == 0) {
1928 /* no string area to decode, do nothing */
1929 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1930 /* unicode string area must be word-aligned */
1931 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1932 ++bcc_ptr;
1933 --bytes_remaining;
1934 }
1935 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1936 sess_data->nls_cp);
1937 } else {
1938 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1939 sess_data->nls_cp);
1940 }
1941
1942 out_free_ntlmsspblob:
1943 kfree_sensitive(ntlmsspblob);
1944 out:
1945 sess_free_buffer(sess_data);
1946
1947 if (!rc)
1948 rc = sess_establish_session(sess_data);
1949
1950 /* Cleanup */
1951 kfree_sensitive(ses->auth_key.response);
1952 ses->auth_key.response = NULL;
1953 kfree_sensitive(ses->ntlmssp);
1954 ses->ntlmssp = NULL;
1955
1956 sess_data->func = NULL;
1957 sess_data->result = rc;
1958 }
1959
select_sec(struct sess_data * sess_data)1960 static int select_sec(struct sess_data *sess_data)
1961 {
1962 int type;
1963 struct cifs_ses *ses = sess_data->ses;
1964 struct TCP_Server_Info *server = sess_data->server;
1965
1966 type = cifs_select_sectype(server, ses->sectype);
1967 cifs_dbg(FYI, "sess setup type %d\n", type);
1968 if (type == Unspecified) {
1969 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n");
1970 return -EINVAL;
1971 }
1972
1973 switch (type) {
1974 case NTLMv2:
1975 sess_data->func = sess_auth_ntlmv2;
1976 break;
1977 case Kerberos:
1978 #ifdef CONFIG_CIFS_UPCALL
1979 sess_data->func = sess_auth_kerberos;
1980 break;
1981 #else
1982 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1983 return -ENOSYS;
1984 #endif /* CONFIG_CIFS_UPCALL */
1985 case RawNTLMSSP:
1986 sess_data->func = sess_auth_rawntlmssp_negotiate;
1987 break;
1988 default:
1989 cifs_dbg(VFS, "secType %d not supported!\n", type);
1990 return -ENOSYS;
1991 }
1992
1993 return 0;
1994 }
1995
CIFS_SessSetup(const unsigned int xid,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1996 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
1997 struct TCP_Server_Info *server,
1998 const struct nls_table *nls_cp)
1999 {
2000 int rc = 0;
2001 struct sess_data *sess_data;
2002
2003 if (ses == NULL) {
2004 WARN(1, "%s: ses == NULL!", __func__);
2005 return -EINVAL;
2006 }
2007
2008 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
2009 if (!sess_data)
2010 return -ENOMEM;
2011
2012 sess_data->xid = xid;
2013 sess_data->ses = ses;
2014 sess_data->server = server;
2015 sess_data->buf0_type = CIFS_NO_BUFFER;
2016 sess_data->nls_cp = (struct nls_table *) nls_cp;
2017
2018 rc = select_sec(sess_data);
2019 if (rc)
2020 goto out;
2021
2022 while (sess_data->func)
2023 sess_data->func(sess_data);
2024
2025 /* Store result before we free sess_data */
2026 rc = sess_data->result;
2027
2028 out:
2029 kfree_sensitive(sess_data);
2030 return rc;
2031 }
2032 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
2033