1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifsglob.h" 12 #include "cifsproto.h" 13 #include "cifs_unicode.h" 14 #include "cifs_debug.h" 15 #include "ntlmssp.h" 16 #include "nterr.h" 17 #include <linux/utsname.h> 18 #include <linux/slab.h> 19 #include <linux/version.h> 20 #include "cifsfs.h" 21 #include "cifs_spnego.h" 22 #include "smb2proto.h" 23 #include "fs_context.h" 24 25 static int 26 cifs_ses_add_channel(struct cifs_ses *ses, 27 struct cifs_server_iface *iface); 28 29 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 30 { 31 int i; 32 33 spin_lock(&ses->chan_lock); 34 for (i = 0; i < ses->chan_count; i++) { 35 if (ses->chans[i].iface == iface) { 36 spin_unlock(&ses->chan_lock); 37 return true; 38 } 39 } 40 spin_unlock(&ses->chan_lock); 41 return false; 42 } 43 44 /* channel helper functions. assumed that chan_lock is held by caller. */ 45 46 int 47 cifs_ses_get_chan_index(struct cifs_ses *ses, 48 struct TCP_Server_Info *server) 49 { 50 unsigned int i; 51 52 /* if the channel is waiting for termination */ 53 if (server && server->terminate) 54 return CIFS_INVAL_CHAN_INDEX; 55 56 for (i = 0; i < ses->chan_count; i++) { 57 if (ses->chans[i].server == server) 58 return i; 59 } 60 61 /* If we didn't find the channel, it is likely a bug */ 62 if (server) 63 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 64 server->conn_id); 65 return CIFS_INVAL_CHAN_INDEX; 66 } 67 68 void 69 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 70 struct TCP_Server_Info *server) 71 { 72 int chan_index = cifs_ses_get_chan_index(ses, server); 73 74 if (chan_index == CIFS_INVAL_CHAN_INDEX) 75 return; 76 77 ses->chans[chan_index].in_reconnect = true; 78 } 79 80 void 81 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 82 struct TCP_Server_Info *server) 83 { 84 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 85 86 if (chan_index == CIFS_INVAL_CHAN_INDEX) 87 return; 88 89 ses->chans[chan_index].in_reconnect = false; 90 } 91 92 void 93 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 94 struct TCP_Server_Info *server) 95 { 96 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 97 98 if (chan_index == CIFS_INVAL_CHAN_INDEX) 99 return; 100 101 set_bit(chan_index, &ses->chans_need_reconnect); 102 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 103 chan_index, ses->chans_need_reconnect); 104 } 105 106 void 107 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 108 struct TCP_Server_Info *server) 109 { 110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 111 112 if (chan_index == CIFS_INVAL_CHAN_INDEX) 113 return; 114 115 clear_bit(chan_index, &ses->chans_need_reconnect); 116 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 117 chan_index, ses->chans_need_reconnect); 118 } 119 120 bool 121 cifs_chan_needs_reconnect(struct cifs_ses *ses, 122 struct TCP_Server_Info *server) 123 { 124 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 125 126 if (chan_index == CIFS_INVAL_CHAN_INDEX) 127 return true; /* err on the safer side */ 128 129 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 130 } 131 132 bool 133 cifs_chan_is_iface_active(struct cifs_ses *ses, 134 struct TCP_Server_Info *server) 135 { 136 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 137 138 if (chan_index == CIFS_INVAL_CHAN_INDEX) 139 return true; /* err on the safer side */ 140 141 return ses->chans[chan_index].iface && 142 ses->chans[chan_index].iface->is_active; 143 } 144 145 /* returns number of channels added */ 146 int cifs_try_adding_channels(struct cifs_ses *ses) 147 { 148 struct TCP_Server_Info *server = ses->server; 149 int old_chan_count, new_chan_count; 150 int left; 151 int rc = 0; 152 int tries = 0; 153 size_t iface_weight = 0, iface_min_speed = 0; 154 struct cifs_server_iface *iface = NULL, *niface = NULL; 155 struct cifs_server_iface *last_iface = NULL; 156 157 spin_lock(&ses->chan_lock); 158 159 new_chan_count = old_chan_count = ses->chan_count; 160 left = ses->chan_max - ses->chan_count; 161 162 if (left <= 0) { 163 spin_unlock(&ses->chan_lock); 164 cifs_dbg(FYI, 165 "ses already at max_channels (%zu), nothing to open\n", 166 ses->chan_max); 167 return 0; 168 } 169 170 if (server->dialect < SMB30_PROT_ID) { 171 spin_unlock(&ses->chan_lock); 172 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 173 return 0; 174 } 175 176 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 177 spin_unlock(&ses->chan_lock); 178 cifs_server_dbg(VFS, "no multichannel support\n"); 179 return 0; 180 } 181 spin_unlock(&ses->chan_lock); 182 183 while (left > 0) { 184 185 tries++; 186 if (tries > 3*ses->chan_max) { 187 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 188 left); 189 break; 190 } 191 192 spin_lock(&ses->iface_lock); 193 if (!ses->iface_count) { 194 spin_unlock(&ses->iface_lock); 195 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", 196 ses->server->hostname); 197 break; 198 } 199 200 if (!iface) 201 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 202 iface_head); 203 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 204 iface_head); 205 iface_min_speed = last_iface->speed; 206 207 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 208 iface_head) { 209 /* do not mix rdma and non-rdma interfaces */ 210 if (iface->rdma_capable != ses->server->rdma) 211 continue; 212 213 /* skip ifaces that are unusable */ 214 if (!iface->is_active || 215 (is_ses_using_iface(ses, iface) && 216 !iface->rss_capable)) 217 continue; 218 219 /* check if we already allocated enough channels */ 220 iface_weight = iface->speed / iface_min_speed; 221 222 if (iface->weight_fulfilled >= iface_weight) 223 continue; 224 225 /* take ref before unlock */ 226 kref_get(&iface->refcount); 227 228 spin_unlock(&ses->iface_lock); 229 rc = cifs_ses_add_channel(ses, iface); 230 spin_lock(&ses->iface_lock); 231 232 if (rc) { 233 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 234 &iface->sockaddr, 235 rc); 236 kref_put(&iface->refcount, release_iface); 237 /* failure to add chan should increase weight */ 238 iface->weight_fulfilled++; 239 continue; 240 } 241 242 iface->num_channels++; 243 iface->weight_fulfilled++; 244 cifs_info("successfully opened new channel on iface:%pIS\n", 245 &iface->sockaddr); 246 break; 247 } 248 249 /* reached end of list. reset weight_fulfilled and start over */ 250 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 251 list_for_each_entry(iface, &ses->iface_list, iface_head) 252 iface->weight_fulfilled = 0; 253 spin_unlock(&ses->iface_lock); 254 iface = NULL; 255 continue; 256 } 257 spin_unlock(&ses->iface_lock); 258 259 left--; 260 new_chan_count++; 261 } 262 263 return new_chan_count - old_chan_count; 264 } 265 266 /* 267 * cifs_decrease_secondary_channels - Reduce the number of active secondary channels 268 * @ses: pointer to the CIFS session structure 269 * @disable_mchan: if true, reduce to a single channel; if false, reduce to chan_max 270 * 271 * This function disables and cleans up extra secondary channels for a CIFS session. 272 * If called during reconfiguration, it reduces the channel count to the new maximum (chan_max). 273 * Otherwise, it disables all but the primary channel. 274 */ 275 void 276 cifs_decrease_secondary_channels(struct cifs_ses *ses, bool disable_mchan) 277 { 278 int i, chan_count; 279 struct TCP_Server_Info *server; 280 struct cifs_server_iface *iface; 281 282 spin_lock(&ses->chan_lock); 283 chan_count = ses->chan_count; 284 if (chan_count == 1) 285 goto done; 286 287 /* Update the chan_count to the new maximum */ 288 if (disable_mchan) { 289 cifs_dbg(FYI, "server does not support multichannel anymore.\n"); 290 ses->chan_count = 1; 291 } else { 292 ses->chan_count = ses->chan_max; 293 } 294 295 /* Disable all secondary channels beyond the new chan_count */ 296 for (i = ses->chan_count ; i < chan_count; i++) { 297 iface = ses->chans[i].iface; 298 server = ses->chans[i].server; 299 300 /* 301 * remove these references first, since we need to unlock 302 * the chan_lock here, since iface_lock is a higher lock 303 */ 304 ses->chans[i].iface = NULL; 305 ses->chans[i].server = NULL; 306 spin_unlock(&ses->chan_lock); 307 308 if (iface) { 309 spin_lock(&ses->iface_lock); 310 iface->num_channels--; 311 if (iface->weight_fulfilled) 312 iface->weight_fulfilled--; 313 kref_put(&iface->refcount, release_iface); 314 spin_unlock(&ses->iface_lock); 315 } 316 317 if (server) { 318 if (!server->terminate) { 319 server->terminate = true; 320 cifs_signal_cifsd_for_reconnect(server, false); 321 } 322 cifs_put_tcp_session(server, false); 323 } 324 325 spin_lock(&ses->chan_lock); 326 } 327 328 /* For extra secondary channels, reset the need reconnect bit */ 329 if (ses->chan_count == 1) { 330 cifs_dbg(VFS, "Disable all secondary channels\n"); 331 ses->chans_need_reconnect &= 1; 332 } else { 333 cifs_dbg(VFS, "Disable extra secondary channels\n"); 334 ses->chans_need_reconnect &= ((1UL << ses->chan_max) - 1); 335 } 336 337 done: 338 spin_unlock(&ses->chan_lock); 339 } 340 341 /* update the iface for the channel if necessary. */ 342 void 343 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 344 { 345 unsigned int chan_index; 346 size_t iface_weight = 0, iface_min_speed = 0; 347 struct cifs_server_iface *iface = NULL; 348 struct cifs_server_iface *old_iface = NULL; 349 struct cifs_server_iface *last_iface = NULL; 350 struct sockaddr_storage ss; 351 int retry = 0; 352 353 spin_lock(&ses->chan_lock); 354 chan_index = cifs_ses_get_chan_index(ses, server); 355 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 356 spin_unlock(&ses->chan_lock); 357 return; 358 } 359 360 if (ses->chans[chan_index].iface) { 361 old_iface = ses->chans[chan_index].iface; 362 if (old_iface->is_active) { 363 spin_unlock(&ses->chan_lock); 364 return; 365 } 366 } 367 spin_unlock(&ses->chan_lock); 368 369 spin_lock(&server->srv_lock); 370 ss = server->dstaddr; 371 spin_unlock(&server->srv_lock); 372 373 spin_lock(&ses->iface_lock); 374 if (!ses->iface_count) { 375 spin_unlock(&ses->iface_lock); 376 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname); 377 return; 378 } 379 380 try_again: 381 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 382 iface_head); 383 iface_min_speed = last_iface->speed; 384 385 /* then look for a new one */ 386 list_for_each_entry(iface, &ses->iface_list, iface_head) { 387 if (!chan_index) { 388 /* if we're trying to get the updated iface for primary channel */ 389 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 390 (struct sockaddr *) &iface->sockaddr)) 391 continue; 392 393 kref_get(&iface->refcount); 394 break; 395 } 396 397 /* do not mix rdma and non-rdma interfaces */ 398 if (iface->rdma_capable != server->rdma) 399 continue; 400 401 if (!iface->is_active || 402 (is_ses_using_iface(ses, iface) && 403 !iface->rss_capable)) { 404 continue; 405 } 406 407 /* check if we already allocated enough channels */ 408 iface_weight = iface->speed / iface_min_speed; 409 410 if (iface->weight_fulfilled >= iface_weight) 411 continue; 412 413 kref_get(&iface->refcount); 414 break; 415 } 416 417 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 418 list_for_each_entry(iface, &ses->iface_list, iface_head) 419 iface->weight_fulfilled = 0; 420 421 /* see if it can be satisfied in second attempt */ 422 if (!retry++) 423 goto try_again; 424 425 iface = NULL; 426 cifs_dbg(FYI, "unable to find a suitable iface\n"); 427 } 428 429 if (!iface) { 430 if (!chan_index) 431 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 432 &ss); 433 else { 434 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n", 435 &old_iface->sockaddr); 436 } 437 438 spin_unlock(&ses->iface_lock); 439 return; 440 } 441 442 /* now drop the ref to the current iface */ 443 if (old_iface) { 444 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 445 &old_iface->sockaddr, 446 &iface->sockaddr); 447 448 old_iface->num_channels--; 449 if (old_iface->weight_fulfilled) 450 old_iface->weight_fulfilled--; 451 iface->num_channels++; 452 iface->weight_fulfilled++; 453 454 kref_put(&old_iface->refcount, release_iface); 455 } else if (!chan_index) { 456 /* special case: update interface for primary channel */ 457 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 458 &iface->sockaddr); 459 iface->num_channels++; 460 iface->weight_fulfilled++; 461 } 462 spin_unlock(&ses->iface_lock); 463 464 spin_lock(&ses->chan_lock); 465 chan_index = cifs_ses_get_chan_index(ses, server); 466 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 467 spin_unlock(&ses->chan_lock); 468 return; 469 } 470 471 ses->chans[chan_index].iface = iface; 472 spin_unlock(&ses->chan_lock); 473 474 spin_lock(&server->srv_lock); 475 memcpy(&server->dstaddr, &iface->sockaddr, sizeof(server->dstaddr)); 476 spin_unlock(&server->srv_lock); 477 } 478 479 static int 480 cifs_ses_add_channel(struct cifs_ses *ses, 481 struct cifs_server_iface *iface) 482 { 483 struct TCP_Server_Info *chan_server; 484 struct cifs_chan *chan; 485 struct smb3_fs_context *ctx; 486 static const char unc_fmt[] = "\\%s\\foo"; 487 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 488 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 489 size_t len; 490 int rc; 491 unsigned int xid = get_xid(); 492 493 if (iface->sockaddr.ss_family == AF_INET) 494 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 495 ses, iface->speed, str_yes_no(iface->rdma_capable), 496 &ipv4->sin_addr); 497 else 498 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 499 ses, iface->speed, str_yes_no(iface->rdma_capable), 500 &ipv6->sin6_addr); 501 502 /* 503 * Setup a ctx with mostly the same info as the existing 504 * session and overwrite it with the requested iface data. 505 * 506 * We need to setup at least the fields used for negprot and 507 * sesssetup. 508 * 509 * We only need the ctx here, so we can reuse memory from 510 * the session and server without caring about memory 511 * management. 512 */ 513 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 514 if (!ctx) { 515 rc = -ENOMEM; 516 goto out_free_xid; 517 } 518 519 /* Always make new connection for now (TODO?) */ 520 ctx->nosharesock = true; 521 522 /* Auth */ 523 ctx->domainauto = ses->domainAuto; 524 ctx->domainname = ses->domainName; 525 526 ctx->server_hostname = ses->server->hostname; 527 528 ctx->username = ses->user_name; 529 ctx->password = ses->password; 530 ctx->sectype = ses->sectype; 531 ctx->sign = ses->sign; 532 ctx->unicode = ses->unicode; 533 534 /* UNC and paths */ 535 /* XXX: Use ses->server->hostname? */ 536 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 537 ctx->UNC = kzalloc(len, GFP_KERNEL); 538 if (!ctx->UNC) { 539 rc = -ENOMEM; 540 goto out_free_ctx; 541 } 542 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 543 ctx->prepath = ""; 544 545 /* Reuse same version as master connection */ 546 ctx->vals = ses->server->vals; 547 ctx->ops = ses->server->ops; 548 549 ctx->noblocksnd = ses->server->noblocksnd; 550 ctx->noautotune = ses->server->noautotune; 551 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 552 ctx->echo_interval = ses->server->echo_interval / HZ; 553 ctx->max_credits = ses->server->max_credits; 554 ctx->min_offload = ses->server->min_offload; 555 ctx->compress = ses->server->compression.requested; 556 ctx->dfs_conn = ses->server->dfs_conn; 557 ctx->ignore_signature = ses->server->ignore_signature; 558 ctx->leaf_fullpath = ses->server->leaf_fullpath; 559 ctx->rootfs = ses->server->noblockcnt; 560 ctx->retrans = ses->server->retrans; 561 562 /* 563 * This will be used for encoding/decoding user/domain/pw 564 * during sess setup auth. 565 */ 566 ctx->local_nls = ses->local_nls; 567 568 /* Use RDMA if possible */ 569 ctx->rdma = iface->rdma_capable; 570 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 571 572 /* reuse master con client guid */ 573 memcpy(&ctx->client_guid, ses->server->client_guid, 574 sizeof(ctx->client_guid)); 575 ctx->use_client_guid = true; 576 577 chan_server = cifs_get_tcp_session(ctx, ses->server); 578 579 spin_lock(&ses->chan_lock); 580 chan = &ses->chans[ses->chan_count]; 581 chan->server = chan_server; 582 if (IS_ERR(chan->server)) { 583 rc = PTR_ERR(chan->server); 584 chan->server = NULL; 585 spin_unlock(&ses->chan_lock); 586 goto out; 587 } 588 chan->iface = iface; 589 ses->chan_count++; 590 atomic_set(&ses->chan_seq, 0); 591 592 /* Mark this channel as needing connect/setup */ 593 cifs_chan_set_need_reconnect(ses, chan->server); 594 595 spin_unlock(&ses->chan_lock); 596 597 mutex_lock(&ses->session_mutex); 598 /* 599 * We need to allocate the server crypto now as we will need 600 * to sign packets before we generate the channel signing key 601 * (we sign with the session key) 602 */ 603 rc = smb3_crypto_shash_allocate(chan->server); 604 if (rc) { 605 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 606 mutex_unlock(&ses->session_mutex); 607 goto out; 608 } 609 610 rc = cifs_negotiate_protocol(xid, ses, chan->server); 611 if (!rc) 612 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 613 614 mutex_unlock(&ses->session_mutex); 615 616 out: 617 if (rc && chan->server) { 618 cifs_put_tcp_session(chan->server, 0); 619 620 spin_lock(&ses->chan_lock); 621 622 /* we rely on all bits beyond chan_count to be clear */ 623 cifs_chan_clear_need_reconnect(ses, chan->server); 624 ses->chan_count--; 625 /* 626 * chan_count should never reach 0 as at least the primary 627 * channel is always allocated 628 */ 629 WARN_ON(ses->chan_count < 1); 630 spin_unlock(&ses->chan_lock); 631 } 632 633 kfree(ctx->UNC); 634 out_free_ctx: 635 kfree(ctx); 636 out_free_xid: 637 free_xid(xid); 638 return rc; 639 } 640 641 642 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 643 struct cifs_ses *ses) 644 { 645 unsigned int tioffset; /* challenge message target info area */ 646 unsigned int tilen; /* challenge message target info area length */ 647 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 648 __u32 server_flags; 649 650 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 651 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 652 return -EINVAL; 653 } 654 655 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 656 cifs_dbg(VFS, "blob signature incorrect %s\n", 657 pblob->Signature); 658 return -EINVAL; 659 } 660 if (pblob->MessageType != NtLmChallenge) { 661 cifs_dbg(VFS, "Incorrect message type %d\n", 662 pblob->MessageType); 663 return -EINVAL; 664 } 665 666 server_flags = le32_to_cpu(pblob->NegotiateFlags); 667 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 668 ses->ntlmssp->client_flags, server_flags); 669 670 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 671 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 672 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 673 __func__); 674 return -EINVAL; 675 } 676 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 677 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 678 return -EINVAL; 679 } 680 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 681 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 682 __func__); 683 return -EOPNOTSUPP; 684 } 685 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 686 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 687 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 688 __func__); 689 690 ses->ntlmssp->server_flags = server_flags; 691 692 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 693 /* 694 * In particular we can examine sign flags 695 * 696 * BB spec says that if AvId field of MsvAvTimestamp is populated then 697 * we must set the MIC field of the AUTHENTICATE_MESSAGE 698 */ 699 700 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 701 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 702 if (tioffset > blob_len || tioffset + tilen > blob_len) { 703 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 704 tioffset, tilen); 705 return -EINVAL; 706 } 707 if (tilen) { 708 kfree_sensitive(ses->auth_key.response); 709 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 710 GFP_KERNEL); 711 if (!ses->auth_key.response) { 712 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 713 return -ENOMEM; 714 } 715 ses->auth_key.len = tilen; 716 } 717 718 return 0; 719 } 720 721 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 722 { 723 int sz = base_size + ses->auth_key.len 724 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 725 726 if (ses->domainName) 727 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 728 else 729 sz += sizeof(__le16); 730 731 if (ses->user_name) 732 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 733 else 734 sz += sizeof(__le16); 735 736 if (ses->workstation_name[0]) 737 sz += sizeof(__le16) * strnlen(ses->workstation_name, 738 ntlmssp_workstation_name_size(ses)); 739 else 740 sz += sizeof(__le16); 741 742 return sz; 743 } 744 745 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 746 char *str_value, 747 int str_length, 748 unsigned char *pstart, 749 unsigned char **pcur, 750 const struct nls_table *nls_cp) 751 { 752 unsigned char *tmp = pstart; 753 int len; 754 755 if (!pbuf) 756 return; 757 758 if (!pcur) 759 pcur = &tmp; 760 761 if (!str_value) { 762 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 763 pbuf->Length = 0; 764 pbuf->MaximumLength = 0; 765 *pcur += sizeof(__le16); 766 } else { 767 len = cifs_strtoUTF16((__le16 *)*pcur, 768 str_value, 769 str_length, 770 nls_cp); 771 len *= sizeof(__le16); 772 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 773 pbuf->Length = cpu_to_le16(len); 774 pbuf->MaximumLength = cpu_to_le16(len); 775 *pcur += len; 776 } 777 } 778 779 /* BB Move to ntlmssp.c eventually */ 780 781 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 782 u16 *buflen, 783 struct cifs_ses *ses, 784 struct TCP_Server_Info *server, 785 const struct nls_table *nls_cp) 786 { 787 int rc = 0; 788 NEGOTIATE_MESSAGE *sec_blob; 789 __u32 flags; 790 unsigned char *tmp; 791 int len; 792 793 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 794 *pbuffer = kmalloc(len, GFP_KERNEL); 795 if (!*pbuffer) { 796 rc = -ENOMEM; 797 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 798 *buflen = 0; 799 goto setup_ntlm_neg_ret; 800 } 801 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 802 803 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 804 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 805 sec_blob->MessageType = NtLmNegotiate; 806 807 /* BB is NTLMV2 session security format easier to use here? */ 808 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 809 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 810 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 811 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 812 NTLMSSP_NEGOTIATE_SIGN; 813 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 814 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 815 816 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 817 ses->ntlmssp->client_flags = flags; 818 sec_blob->NegotiateFlags = cpu_to_le32(flags); 819 820 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 821 cifs_security_buffer_from_str(&sec_blob->DomainName, 822 NULL, 823 CIFS_MAX_DOMAINNAME_LEN, 824 *pbuffer, &tmp, 825 nls_cp); 826 827 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 828 NULL, 829 CIFS_MAX_WORKSTATION_LEN, 830 *pbuffer, &tmp, 831 nls_cp); 832 833 *buflen = tmp - *pbuffer; 834 setup_ntlm_neg_ret: 835 return rc; 836 } 837 838 /* 839 * Build ntlmssp blob with additional fields, such as version, 840 * supported by modern servers. For safety limit to SMB3 or later 841 * See notes in MS-NLMP Section 2.2.2.1 e.g. 842 */ 843 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 844 u16 *buflen, 845 struct cifs_ses *ses, 846 struct TCP_Server_Info *server, 847 const struct nls_table *nls_cp) 848 { 849 int rc = 0; 850 struct negotiate_message *sec_blob; 851 __u32 flags; 852 unsigned char *tmp; 853 int len; 854 855 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 856 *pbuffer = kmalloc(len, GFP_KERNEL); 857 if (!*pbuffer) { 858 rc = -ENOMEM; 859 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 860 *buflen = 0; 861 goto setup_ntlm_smb3_neg_ret; 862 } 863 sec_blob = (struct negotiate_message *)*pbuffer; 864 865 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 866 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 867 sec_blob->MessageType = NtLmNegotiate; 868 869 /* BB is NTLMV2 session security format easier to use here? */ 870 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 871 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 872 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 873 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 874 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 875 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 876 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 877 878 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 879 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 880 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 881 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 882 883 tmp = *pbuffer + sizeof(struct negotiate_message); 884 ses->ntlmssp->client_flags = flags; 885 sec_blob->NegotiateFlags = cpu_to_le32(flags); 886 887 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 888 cifs_security_buffer_from_str(&sec_blob->DomainName, 889 NULL, 890 CIFS_MAX_DOMAINNAME_LEN, 891 *pbuffer, &tmp, 892 nls_cp); 893 894 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 895 NULL, 896 CIFS_MAX_WORKSTATION_LEN, 897 *pbuffer, &tmp, 898 nls_cp); 899 900 *buflen = tmp - *pbuffer; 901 setup_ntlm_smb3_neg_ret: 902 return rc; 903 } 904 905 906 /* See MS-NLMP 2.2.1.3 */ 907 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 908 u16 *buflen, 909 struct cifs_ses *ses, 910 struct TCP_Server_Info *server, 911 const struct nls_table *nls_cp) 912 { 913 int rc; 914 AUTHENTICATE_MESSAGE *sec_blob; 915 __u32 flags; 916 unsigned char *tmp; 917 int len; 918 919 rc = setup_ntlmv2_rsp(ses, nls_cp); 920 if (rc) { 921 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 922 *buflen = 0; 923 goto setup_ntlmv2_ret; 924 } 925 926 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 927 *pbuffer = kmalloc(len, GFP_KERNEL); 928 if (!*pbuffer) { 929 rc = -ENOMEM; 930 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 931 *buflen = 0; 932 goto setup_ntlmv2_ret; 933 } 934 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 935 936 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 937 sec_blob->MessageType = NtLmAuthenticate; 938 939 /* send version information in ntlmssp authenticate also */ 940 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 941 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION | 942 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 943 944 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 945 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 946 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 947 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 948 949 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 950 sec_blob->NegotiateFlags = cpu_to_le32(flags); 951 952 sec_blob->LmChallengeResponse.BufferOffset = 953 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 954 sec_blob->LmChallengeResponse.Length = 0; 955 sec_blob->LmChallengeResponse.MaximumLength = 0; 956 957 sec_blob->NtChallengeResponse.BufferOffset = 958 cpu_to_le32(tmp - *pbuffer); 959 if (ses->user_name != NULL) { 960 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 961 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 962 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 963 964 sec_blob->NtChallengeResponse.Length = 965 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 966 sec_blob->NtChallengeResponse.MaximumLength = 967 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 968 } else { 969 /* 970 * don't send an NT Response for anonymous access 971 */ 972 sec_blob->NtChallengeResponse.Length = 0; 973 sec_blob->NtChallengeResponse.MaximumLength = 0; 974 } 975 976 cifs_security_buffer_from_str(&sec_blob->DomainName, 977 ses->domainName, 978 CIFS_MAX_DOMAINNAME_LEN, 979 *pbuffer, &tmp, 980 nls_cp); 981 982 cifs_security_buffer_from_str(&sec_blob->UserName, 983 ses->user_name, 984 CIFS_MAX_USERNAME_LEN, 985 *pbuffer, &tmp, 986 nls_cp); 987 988 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 989 ses->workstation_name, 990 ntlmssp_workstation_name_size(ses), 991 *pbuffer, &tmp, 992 nls_cp); 993 994 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 995 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 996 !calc_seckey(ses)) { 997 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 998 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 999 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1000 sec_blob->SessionKey.MaximumLength = 1001 cpu_to_le16(CIFS_CPHTXT_SIZE); 1002 tmp += CIFS_CPHTXT_SIZE; 1003 } else { 1004 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1005 sec_blob->SessionKey.Length = 0; 1006 sec_blob->SessionKey.MaximumLength = 0; 1007 } 1008 1009 *buflen = tmp - *pbuffer; 1010 setup_ntlmv2_ret: 1011 return rc; 1012 } 1013 1014 enum securityEnum 1015 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1016 { 1017 switch (server->negflavor) { 1018 case CIFS_NEGFLAVOR_EXTENDED: 1019 switch (requested) { 1020 case Kerberos: 1021 case RawNTLMSSP: 1022 case IAKerb: 1023 return requested; 1024 case Unspecified: 1025 if (server->sec_ntlmssp && 1026 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1027 return RawNTLMSSP; 1028 if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) && 1029 (global_secflags & CIFSSEC_MAY_KRB5)) 1030 return Kerberos; 1031 fallthrough; 1032 default: 1033 return Unspecified; 1034 } 1035 case CIFS_NEGFLAVOR_UNENCAP: 1036 switch (requested) { 1037 case NTLMv2: 1038 return requested; 1039 case Unspecified: 1040 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1041 return NTLMv2; 1042 break; 1043 default: 1044 break; 1045 } 1046 fallthrough; 1047 default: 1048 return Unspecified; 1049 } 1050 } 1051