1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 *
4 * Copyright (C) International Business Machines Corp., 2002, 2011
5 * Etersoft, 2012
6 * Author(s): Steve French (sfrench@us.ibm.com)
7 * Jeremy Allison (jra@samba.org) 2006
8 * Pavel Shilovsky (pshilovsky@samba.org) 2012
9 *
10 */
11
12 #include <linux/fs.h>
13 #include <linux/list.h>
14 #include <linux/wait.h>
15 #include <linux/net.h>
16 #include <linux/delay.h>
17 #include <linux/uaccess.h>
18 #include <asm/processor.h>
19 #include <linux/mempool.h>
20 #include <linux/highmem.h>
21 #include <crypto/aead.h>
22 #include <crypto/sha2.h>
23 #include <crypto/utils.h>
24 #include "cifsglob.h"
25 #include "cifsproto.h"
26 #include "smb2proto.h"
27 #include "cifs_debug.h"
28 #include "../common/smb2status.h"
29 #include "smb2glob.h"
30
31 int
smb3_crypto_shash_allocate(struct TCP_Server_Info * server)32 smb3_crypto_shash_allocate(struct TCP_Server_Info *server)
33 {
34 struct cifs_secmech *p = &server->secmech;
35
36 return cifs_alloc_hash("cmac(aes)", &p->aes_cmac);
37 }
38
39 static
smb3_get_sign_key(__u64 ses_id,struct TCP_Server_Info * server,u8 * key)40 int smb3_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key)
41 {
42 struct cifs_chan *chan;
43 struct TCP_Server_Info *pserver;
44 struct cifs_ses *ses = NULL;
45 int i;
46 int rc = 0;
47 bool is_binding = false;
48
49 spin_lock(&cifs_tcp_ses_lock);
50
51 /* If server is a channel, select the primary channel */
52 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
53
54 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) {
55 if (ses->Suid == ses_id)
56 goto found;
57 }
58 trace_smb3_ses_not_found(ses_id);
59 cifs_server_dbg(FYI, "%s: Could not find session 0x%llx\n",
60 __func__, ses_id);
61 rc = -ENOENT;
62 goto out;
63
64 found:
65 spin_lock(&ses->ses_lock);
66 spin_lock(&ses->chan_lock);
67
68 is_binding = (cifs_chan_needs_reconnect(ses, server) &&
69 ses->ses_status == SES_GOOD);
70 if (is_binding) {
71 /*
72 * If we are in the process of binding a new channel
73 * to an existing session, use the master connection
74 * session key
75 */
76 memcpy(key, ses->smb3signingkey, SMB3_SIGN_KEY_SIZE);
77 spin_unlock(&ses->chan_lock);
78 spin_unlock(&ses->ses_lock);
79 goto out;
80 }
81
82 /*
83 * Otherwise, use the channel key.
84 */
85
86 for (i = 0; i < ses->chan_count; i++) {
87 chan = ses->chans + i;
88 if (chan->server == server) {
89 memcpy(key, chan->signkey, SMB3_SIGN_KEY_SIZE);
90 spin_unlock(&ses->chan_lock);
91 spin_unlock(&ses->ses_lock);
92 goto out;
93 }
94 }
95 spin_unlock(&ses->chan_lock);
96 spin_unlock(&ses->ses_lock);
97
98 cifs_dbg(VFS,
99 "%s: Could not find channel signing key for session 0x%llx\n",
100 __func__, ses_id);
101 rc = -ENOENT;
102
103 out:
104 spin_unlock(&cifs_tcp_ses_lock);
105 return rc;
106 }
107
108 static struct cifs_ses *
smb2_find_smb_ses_unlocked(struct TCP_Server_Info * server,__u64 ses_id)109 smb2_find_smb_ses_unlocked(struct TCP_Server_Info *server, __u64 ses_id)
110 {
111 struct TCP_Server_Info *pserver;
112 struct cifs_ses *ses;
113
114 /* If server is a channel, select the primary channel */
115 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
116
117 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) {
118 if (ses->Suid != ses_id)
119 continue;
120
121 spin_lock(&ses->ses_lock);
122 if (ses->ses_status == SES_EXITING) {
123 spin_unlock(&ses->ses_lock);
124 continue;
125 }
126 cifs_smb_ses_inc_refcount(ses);
127 spin_unlock(&ses->ses_lock);
128 return ses;
129 }
130
131 return NULL;
132 }
133
smb2_get_sign_key(struct TCP_Server_Info * server,__u64 ses_id,u8 * key)134 static int smb2_get_sign_key(struct TCP_Server_Info *server,
135 __u64 ses_id, u8 *key)
136 {
137 struct cifs_ses *ses;
138 int rc = -ENOENT;
139
140 if (SERVER_IS_CHAN(server))
141 server = server->primary_server;
142
143 spin_lock(&cifs_tcp_ses_lock);
144 list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
145 if (ses->Suid != ses_id)
146 continue;
147
148 rc = 0;
149 spin_lock(&ses->ses_lock);
150 switch (ses->ses_status) {
151 case SES_EXITING: /* SMB2_LOGOFF */
152 case SES_GOOD:
153 if (likely(ses->auth_key.response)) {
154 memcpy(key, ses->auth_key.response,
155 SMB2_NTLMV2_SESSKEY_SIZE);
156 } else {
157 rc = smb_EIO(smb_eio_trace_no_auth_key);
158 }
159 break;
160 default:
161 rc = -EAGAIN;
162 break;
163 }
164 spin_unlock(&ses->ses_lock);
165 break;
166 }
167 spin_unlock(&cifs_tcp_ses_lock);
168 return rc;
169 }
170
171 static struct cifs_tcon *
smb2_find_smb_sess_tcon_unlocked(struct cifs_ses * ses,__u32 tid)172 smb2_find_smb_sess_tcon_unlocked(struct cifs_ses *ses, __u32 tid)
173 {
174 struct cifs_tcon *tcon;
175
176 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
177 if (tcon->tid != tid)
178 continue;
179 ++tcon->tc_count;
180 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count,
181 netfs_trace_tcon_ref_get_find_sess_tcon);
182 return tcon;
183 }
184
185 return NULL;
186 }
187
188 /*
189 * Obtain tcon corresponding to the tid in the given
190 * cifs_ses
191 */
192
193 struct cifs_tcon *
smb2_find_smb_tcon(struct TCP_Server_Info * server,__u64 ses_id,__u32 tid)194 smb2_find_smb_tcon(struct TCP_Server_Info *server, __u64 ses_id, __u32 tid)
195 {
196 struct cifs_ses *ses;
197 struct cifs_tcon *tcon;
198
199 spin_lock(&cifs_tcp_ses_lock);
200 ses = smb2_find_smb_ses_unlocked(server, ses_id);
201 if (!ses) {
202 spin_unlock(&cifs_tcp_ses_lock);
203 return NULL;
204 }
205 tcon = smb2_find_smb_sess_tcon_unlocked(ses, tid);
206 spin_unlock(&cifs_tcp_ses_lock);
207 /* tcon already has a ref to ses, so we don't need ses anymore */
208 cifs_put_smb_ses(ses);
209
210 return tcon;
211 }
212
213 static int
smb2_calc_signature(struct smb_rqst * rqst,struct TCP_Server_Info * server,bool allocate_crypto)214 smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,
215 bool allocate_crypto)
216 {
217 int rc;
218 unsigned char smb2_signature[SMB2_HMACSHA256_SIZE];
219 struct kvec *iov = rqst->rq_iov;
220 struct smb2_hdr *shdr = (struct smb2_hdr *)iov[0].iov_base;
221 struct hmac_sha256_ctx hmac_ctx;
222 struct smb_rqst drqst;
223 __u64 sid = le64_to_cpu(shdr->SessionId);
224 u8 key[SMB2_NTLMV2_SESSKEY_SIZE];
225
226 rc = smb2_get_sign_key(server, sid, key);
227 if (unlikely(rc)) {
228 cifs_server_dbg(FYI, "%s: [sesid=0x%llx] couldn't find signing key: %d\n",
229 __func__, sid, rc);
230 return rc;
231 }
232
233 memset(smb2_signature, 0x0, SMB2_HMACSHA256_SIZE);
234 memset(shdr->Signature, 0x0, SMB2_SIGNATURE_SIZE);
235
236 hmac_sha256_init_usingrawkey(&hmac_ctx, key, sizeof(key));
237
238 /*
239 * For SMB2+, __cifs_calc_signature() expects to sign only the actual
240 * data, that is, iov[0] should not contain a rfc1002 length.
241 *
242 * Sign the rfc1002 length prior to passing the data (iov[1-N]) down to
243 * __cifs_calc_signature().
244 */
245 drqst = *rqst;
246 if (drqst.rq_nvec >= 2 && iov[0].iov_len == 4) {
247 hmac_sha256_update(&hmac_ctx, iov[0].iov_base, iov[0].iov_len);
248 drqst.rq_iov++;
249 drqst.rq_nvec--;
250 }
251
252 rc = __cifs_calc_signature(
253 &drqst, server, smb2_signature,
254 &(struct cifs_calc_sig_ctx){ .hmac = &hmac_ctx });
255 if (!rc)
256 memcpy(shdr->Signature, smb2_signature, SMB2_SIGNATURE_SIZE);
257
258 return rc;
259 }
260
generate_key(struct cifs_ses * ses,struct kvec label,struct kvec context,__u8 * key,unsigned int key_size)261 static int generate_key(struct cifs_ses *ses, struct kvec label,
262 struct kvec context, __u8 *key, unsigned int key_size)
263 {
264 unsigned char zero = 0x0;
265 __u8 i[4] = {0, 0, 0, 1};
266 __u8 L128[4] = {0, 0, 0, 128};
267 __u8 L256[4] = {0, 0, 1, 0};
268 int rc = 0;
269 unsigned char prfhash[SMB2_HMACSHA256_SIZE];
270 struct TCP_Server_Info *server = ses->server;
271 struct hmac_sha256_ctx hmac_ctx;
272
273 memset(prfhash, 0x0, SMB2_HMACSHA256_SIZE);
274 memset(key, 0x0, key_size);
275
276 rc = smb3_crypto_shash_allocate(server);
277 if (rc) {
278 cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__);
279 return rc;
280 }
281
282 hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response,
283 SMB2_NTLMV2_SESSKEY_SIZE);
284 hmac_sha256_update(&hmac_ctx, i, 4);
285 hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len);
286 hmac_sha256_update(&hmac_ctx, &zero, 1);
287 hmac_sha256_update(&hmac_ctx, context.iov_base, context.iov_len);
288
289 if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
290 (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) {
291 hmac_sha256_update(&hmac_ctx, L256, 4);
292 } else {
293 hmac_sha256_update(&hmac_ctx, L128, 4);
294 }
295 hmac_sha256_final(&hmac_ctx, prfhash);
296
297 memcpy(key, prfhash, key_size);
298 return 0;
299 }
300
301 struct derivation {
302 struct kvec label;
303 struct kvec context;
304 };
305
306 struct derivation_triplet {
307 struct derivation signing;
308 struct derivation encryption;
309 struct derivation decryption;
310 };
311
312 static int
generate_smb3signingkey(struct cifs_ses * ses,struct TCP_Server_Info * server,const struct derivation_triplet * ptriplet)313 generate_smb3signingkey(struct cifs_ses *ses,
314 struct TCP_Server_Info *server,
315 const struct derivation_triplet *ptriplet)
316 {
317 int rc;
318 bool is_binding = false;
319 int chan_index = 0;
320
321 spin_lock(&ses->ses_lock);
322 spin_lock(&ses->chan_lock);
323 is_binding = (cifs_chan_needs_reconnect(ses, server) &&
324 ses->ses_status == SES_GOOD);
325
326 chan_index = cifs_ses_get_chan_index(ses, server);
327 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
328 spin_unlock(&ses->chan_lock);
329 spin_unlock(&ses->ses_lock);
330
331 return -EINVAL;
332 }
333
334 spin_unlock(&ses->chan_lock);
335 spin_unlock(&ses->ses_lock);
336
337 /*
338 * All channels use the same encryption/decryption keys but
339 * they have their own signing key.
340 *
341 * When we generate the keys, check if it is for a new channel
342 * (binding) in which case we only need to generate a signing
343 * key and store it in the channel as to not overwrite the
344 * master connection signing key stored in the session
345 */
346
347 if (is_binding) {
348 rc = generate_key(ses, ptriplet->signing.label,
349 ptriplet->signing.context,
350 ses->chans[chan_index].signkey,
351 SMB3_SIGN_KEY_SIZE);
352 if (rc)
353 return rc;
354 } else {
355 rc = generate_key(ses, ptriplet->signing.label,
356 ptriplet->signing.context,
357 ses->smb3signingkey,
358 SMB3_SIGN_KEY_SIZE);
359 if (rc)
360 return rc;
361
362 /* safe to access primary channel, since it will never go away */
363 spin_lock(&ses->chan_lock);
364 memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey,
365 SMB3_SIGN_KEY_SIZE);
366 spin_unlock(&ses->chan_lock);
367
368 rc = generate_key(ses, ptriplet->encryption.label,
369 ptriplet->encryption.context,
370 ses->smb3encryptionkey,
371 SMB3_ENC_DEC_KEY_SIZE);
372 if (rc)
373 return rc;
374 rc = generate_key(ses, ptriplet->decryption.label,
375 ptriplet->decryption.context,
376 ses->smb3decryptionkey,
377 SMB3_ENC_DEC_KEY_SIZE);
378 if (rc)
379 return rc;
380 }
381
382 #ifdef CONFIG_CIFS_DEBUG_DUMP_KEYS
383 cifs_dbg(VFS, "%s: dumping generated AES session keys\n", __func__);
384 /*
385 * The session id is opaque in terms of endianness, so we can't
386 * print it as a long long. we dump it as we got it on the wire
387 */
388 cifs_dbg(VFS, "Session Id %*ph\n", (int)sizeof(ses->Suid),
389 &ses->Suid);
390 cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type);
391 cifs_dbg(VFS, "Session Key %*ph\n",
392 SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
393 cifs_dbg(VFS, "Signing Key %*ph\n",
394 SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
395 if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
396 (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) {
397 cifs_dbg(VFS, "ServerIn Key %*ph\n",
398 SMB3_GCM256_CRYPTKEY_SIZE, ses->smb3encryptionkey);
399 cifs_dbg(VFS, "ServerOut Key %*ph\n",
400 SMB3_GCM256_CRYPTKEY_SIZE, ses->smb3decryptionkey);
401 } else {
402 cifs_dbg(VFS, "ServerIn Key %*ph\n",
403 SMB3_GCM128_CRYPTKEY_SIZE, ses->smb3encryptionkey);
404 cifs_dbg(VFS, "ServerOut Key %*ph\n",
405 SMB3_GCM128_CRYPTKEY_SIZE, ses->smb3decryptionkey);
406 }
407 #endif
408 return rc;
409 }
410
411 int
generate_smb30signingkey(struct cifs_ses * ses,struct TCP_Server_Info * server)412 generate_smb30signingkey(struct cifs_ses *ses,
413 struct TCP_Server_Info *server)
414
415 {
416 struct derivation_triplet triplet;
417 struct derivation *d;
418
419 d = &triplet.signing;
420 d->label.iov_base = "SMB2AESCMAC";
421 d->label.iov_len = 12;
422 d->context.iov_base = "SmbSign";
423 d->context.iov_len = 8;
424
425 d = &triplet.encryption;
426 d->label.iov_base = "SMB2AESCCM";
427 d->label.iov_len = 11;
428 d->context.iov_base = "ServerIn ";
429 d->context.iov_len = 10;
430
431 d = &triplet.decryption;
432 d->label.iov_base = "SMB2AESCCM";
433 d->label.iov_len = 11;
434 d->context.iov_base = "ServerOut";
435 d->context.iov_len = 10;
436
437 return generate_smb3signingkey(ses, server, &triplet);
438 }
439
440 int
generate_smb311signingkey(struct cifs_ses * ses,struct TCP_Server_Info * server)441 generate_smb311signingkey(struct cifs_ses *ses,
442 struct TCP_Server_Info *server)
443
444 {
445 struct derivation_triplet triplet;
446 struct derivation *d;
447
448 d = &triplet.signing;
449 d->label.iov_base = "SMBSigningKey";
450 d->label.iov_len = 14;
451 d->context.iov_base = ses->preauth_sha_hash;
452 d->context.iov_len = 64;
453
454 d = &triplet.encryption;
455 d->label.iov_base = "SMBC2SCipherKey";
456 d->label.iov_len = 16;
457 d->context.iov_base = ses->preauth_sha_hash;
458 d->context.iov_len = 64;
459
460 d = &triplet.decryption;
461 d->label.iov_base = "SMBS2CCipherKey";
462 d->label.iov_len = 16;
463 d->context.iov_base = ses->preauth_sha_hash;
464 d->context.iov_len = 64;
465
466 return generate_smb3signingkey(ses, server, &triplet);
467 }
468
469 static int
smb3_calc_signature(struct smb_rqst * rqst,struct TCP_Server_Info * server,bool allocate_crypto)470 smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,
471 bool allocate_crypto)
472 {
473 int rc;
474 unsigned char smb3_signature[SMB2_CMACAES_SIZE];
475 struct kvec *iov = rqst->rq_iov;
476 struct smb2_hdr *shdr = (struct smb2_hdr *)iov[0].iov_base;
477 struct shash_desc *shash = NULL;
478 struct smb_rqst drqst;
479 u8 key[SMB3_SIGN_KEY_SIZE];
480
481 if (server->vals->protocol_id <= SMB21_PROT_ID)
482 return smb2_calc_signature(rqst, server, allocate_crypto);
483
484 rc = smb3_get_sign_key(le64_to_cpu(shdr->SessionId), server, key);
485 if (unlikely(rc)) {
486 cifs_server_dbg(FYI, "%s: Could not get signing key\n", __func__);
487 return rc;
488 }
489
490 if (allocate_crypto) {
491 rc = cifs_alloc_hash("cmac(aes)", &shash);
492 if (rc)
493 return rc;
494 } else {
495 shash = server->secmech.aes_cmac;
496 }
497
498 memset(smb3_signature, 0x0, SMB2_CMACAES_SIZE);
499 memset(shdr->Signature, 0x0, SMB2_SIGNATURE_SIZE);
500
501 rc = crypto_shash_setkey(shash->tfm, key, SMB2_CMACAES_SIZE);
502 if (rc) {
503 cifs_server_dbg(VFS, "%s: Could not set key for cmac aes\n", __func__);
504 goto out;
505 }
506
507 /*
508 * we already allocate aes_cmac when we init smb3 signing key,
509 * so unlike smb2 case we do not have to check here if secmech are
510 * initialized
511 */
512 rc = crypto_shash_init(shash);
513 if (rc) {
514 cifs_server_dbg(VFS, "%s: Could not init cmac aes\n", __func__);
515 goto out;
516 }
517
518 /*
519 * For SMB2+, __cifs_calc_signature() expects to sign only the actual
520 * data, that is, iov[0] should not contain a rfc1002 length.
521 *
522 * Sign the rfc1002 length prior to passing the data (iov[1-N]) down to
523 * __cifs_calc_signature().
524 */
525 drqst = *rqst;
526 if (drqst.rq_nvec >= 2 && iov[0].iov_len == 4) {
527 rc = crypto_shash_update(shash, iov[0].iov_base,
528 iov[0].iov_len);
529 if (rc) {
530 cifs_server_dbg(VFS, "%s: Could not update with payload\n",
531 __func__);
532 goto out;
533 }
534 drqst.rq_iov++;
535 drqst.rq_nvec--;
536 }
537
538 rc = __cifs_calc_signature(
539 &drqst, server, smb3_signature,
540 &(struct cifs_calc_sig_ctx){ .shash = shash });
541 if (!rc)
542 memcpy(shdr->Signature, smb3_signature, SMB2_SIGNATURE_SIZE);
543
544 out:
545 if (allocate_crypto)
546 cifs_free_hash(&shash);
547 return rc;
548 }
549
550 /* must be called with server->srv_mutex held */
551 static int
smb2_sign_rqst(struct smb_rqst * rqst,struct TCP_Server_Info * server)552 smb2_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server)
553 {
554 struct smb2_hdr *shdr;
555 struct smb2_sess_setup_req *ssr;
556 bool is_binding;
557 bool is_signed;
558
559 shdr = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
560 ssr = (struct smb2_sess_setup_req *)shdr;
561
562 is_binding = shdr->Command == SMB2_SESSION_SETUP &&
563 (ssr->Flags & SMB2_SESSION_REQ_FLAG_BINDING);
564 is_signed = shdr->Flags & SMB2_FLAGS_SIGNED;
565
566 if (!is_signed)
567 return 0;
568 spin_lock(&server->srv_lock);
569 if (server->ops->need_neg &&
570 server->ops->need_neg(server)) {
571 spin_unlock(&server->srv_lock);
572 return 0;
573 }
574 spin_unlock(&server->srv_lock);
575 if (!is_binding && !server->session_estab) {
576 strscpy(shdr->Signature, "BSRSPYL");
577 return 0;
578 }
579
580 return smb3_calc_signature(rqst, server, false);
581 }
582
583 int
smb2_verify_signature(struct smb_rqst * rqst,struct TCP_Server_Info * server)584 smb2_verify_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
585 {
586 unsigned int rc;
587 char server_response_sig[SMB2_SIGNATURE_SIZE];
588 struct smb2_hdr *shdr =
589 (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
590
591 if ((shdr->Command == SMB2_NEGOTIATE) ||
592 (shdr->Command == SMB2_SESSION_SETUP) ||
593 (shdr->Command == SMB2_OPLOCK_BREAK) ||
594 server->ignore_signature ||
595 (!server->session_estab))
596 return 0;
597
598 /*
599 * BB what if signatures are supposed to be on for session but
600 * server does not send one? BB
601 */
602
603 /* Do not need to verify session setups with signature "BSRSPYL " */
604 if (memcmp(shdr->Signature, "BSRSPYL ", 8) == 0)
605 cifs_dbg(FYI, "dummy signature received for smb command 0x%x\n",
606 shdr->Command);
607
608 /*
609 * Save off the original signature so we can modify the smb and check
610 * our calculated signature against what the server sent.
611 */
612 memcpy(server_response_sig, shdr->Signature, SMB2_SIGNATURE_SIZE);
613
614 memset(shdr->Signature, 0, SMB2_SIGNATURE_SIZE);
615
616 rc = smb3_calc_signature(rqst, server, true);
617
618 if (rc)
619 return rc;
620
621 if (crypto_memneq(server_response_sig, shdr->Signature,
622 SMB2_SIGNATURE_SIZE)) {
623 cifs_dbg(VFS, "sign fail cmd 0x%x message id 0x%llx\n",
624 shdr->Command, shdr->MessageId);
625 return -EACCES;
626 } else
627 return 0;
628 }
629
630 /*
631 * Set message id for the request. Should be called after wait_for_free_request
632 * and when srv_mutex is held.
633 */
634 static inline void
smb2_seq_num_into_buf(struct TCP_Server_Info * server,struct smb2_hdr * shdr)635 smb2_seq_num_into_buf(struct TCP_Server_Info *server,
636 struct smb2_hdr *shdr)
637 {
638 unsigned int i, num = le16_to_cpu(shdr->CreditCharge);
639
640 shdr->MessageId = get_next_mid64(server);
641 /* skip message numbers according to CreditCharge field */
642 for (i = 1; i < num; i++)
643 get_next_mid(server);
644 }
645
646 static struct mid_q_entry *
smb2_mid_entry_alloc(const struct smb2_hdr * shdr,struct TCP_Server_Info * server)647 smb2_mid_entry_alloc(const struct smb2_hdr *shdr,
648 struct TCP_Server_Info *server)
649 {
650 struct mid_q_entry *temp;
651 unsigned int credits = le16_to_cpu(shdr->CreditCharge);
652
653 if (server == NULL) {
654 cifs_dbg(VFS, "Null TCP session in smb2_mid_entry_alloc\n");
655 return NULL;
656 }
657
658 temp = mempool_alloc(&cifs_mid_pool, GFP_NOFS);
659 memset(temp, 0, sizeof(struct mid_q_entry));
660 refcount_set(&temp->refcount, 1);
661 spin_lock_init(&temp->mid_lock);
662 temp->mid = le64_to_cpu(shdr->MessageId);
663 temp->credits = credits > 0 ? credits : 1;
664 temp->pid = current->pid;
665 temp->command = shdr->Command; /* Always LE */
666 temp->when_alloc = jiffies;
667
668 /*
669 * The default is for the mid to be synchronous, so the
670 * default callback just wakes up the current task.
671 */
672 get_task_struct(current);
673 temp->creator = current;
674 temp->callback = cifs_wake_up_task;
675 temp->callback_data = current;
676
677 atomic_inc(&mid_count);
678 temp->mid_state = MID_REQUEST_ALLOCATED;
679 trace_smb3_cmd_enter(le32_to_cpu(shdr->Id.SyncId.TreeId),
680 le64_to_cpu(shdr->SessionId),
681 le16_to_cpu(shdr->Command), temp->mid);
682 return temp;
683 }
684
685 static int
smb2_get_mid_entry(struct cifs_ses * ses,struct TCP_Server_Info * server,struct smb2_hdr * shdr,struct mid_q_entry ** mid)686 smb2_get_mid_entry(struct cifs_ses *ses, struct TCP_Server_Info *server,
687 struct smb2_hdr *shdr, struct mid_q_entry **mid)
688 {
689 switch (READ_ONCE(server->tcpStatus)) {
690 case CifsExiting:
691 return -ENOENT;
692 case CifsNeedReconnect:
693 cifs_dbg(FYI, "tcp session dead - return to caller to retry\n");
694 return -EAGAIN;
695 case CifsNeedNegotiate:
696 if (shdr->Command != SMB2_NEGOTIATE)
697 return -EAGAIN;
698 break;
699 default:
700 break;
701 }
702
703 switch (READ_ONCE(ses->ses_status)) {
704 case SES_NEW:
705 if (shdr->Command != SMB2_SESSION_SETUP &&
706 shdr->Command != SMB2_NEGOTIATE)
707 return -EAGAIN;
708 /* else ok - we are setting up session */
709 break;
710 case SES_EXITING:
711 if (shdr->Command != SMB2_LOGOFF)
712 return -EAGAIN;
713 /* else ok - we are shutting down the session */
714 break;
715 default:
716 break;
717 }
718
719 *mid = smb2_mid_entry_alloc(shdr, server);
720 if (*mid == NULL)
721 return -ENOMEM;
722 spin_lock(&server->mid_queue_lock);
723 list_add_tail(&(*mid)->qhead, &server->pending_mid_q);
724 spin_unlock(&server->mid_queue_lock);
725
726 return 0;
727 }
728
729 int
smb2_check_receive(struct mid_q_entry * mid,struct TCP_Server_Info * server,bool log_error)730 smb2_check_receive(struct mid_q_entry *mid, struct TCP_Server_Info *server,
731 bool log_error)
732 {
733 unsigned int len = mid->resp_buf_size;
734 struct kvec iov[1];
735 struct smb_rqst rqst = { .rq_iov = iov,
736 .rq_nvec = 1 };
737
738 iov[0].iov_base = (char *)mid->resp_buf;
739 iov[0].iov_len = len;
740
741 dump_smb(mid->resp_buf, min_t(u32, 80, len));
742 /* convert the length into a more usable form */
743 if (len > 24 && server->sign && !mid->decrypted) {
744 int rc;
745
746 rc = smb2_verify_signature(&rqst, server);
747 if (rc)
748 cifs_server_dbg(VFS, "SMB signature verification returned error = %d\n",
749 rc);
750 }
751
752 return map_smb2_to_linux_error(mid->resp_buf, log_error);
753 }
754
755 struct mid_q_entry *
smb2_setup_request(struct cifs_ses * ses,struct TCP_Server_Info * server,struct smb_rqst * rqst)756 smb2_setup_request(struct cifs_ses *ses, struct TCP_Server_Info *server,
757 struct smb_rqst *rqst)
758 {
759 int rc;
760 struct smb2_hdr *shdr =
761 (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
762 struct mid_q_entry *mid;
763
764 smb2_seq_num_into_buf(server, shdr);
765
766 rc = smb2_get_mid_entry(ses, server, shdr, &mid);
767 if (rc) {
768 revert_current_mid_from_hdr(server, shdr);
769 return ERR_PTR(rc);
770 }
771
772 rc = smb2_sign_rqst(rqst, server);
773 if (rc) {
774 revert_current_mid_from_hdr(server, shdr);
775 delete_mid(server, mid);
776 return ERR_PTR(rc);
777 }
778
779 return mid;
780 }
781
782 struct mid_q_entry *
smb2_setup_async_request(struct TCP_Server_Info * server,struct smb_rqst * rqst)783 smb2_setup_async_request(struct TCP_Server_Info *server, struct smb_rqst *rqst)
784 {
785 int rc;
786 struct smb2_hdr *shdr =
787 (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
788 struct mid_q_entry *mid;
789
790 spin_lock(&server->srv_lock);
791 if (server->tcpStatus == CifsNeedNegotiate &&
792 shdr->Command != SMB2_NEGOTIATE) {
793 spin_unlock(&server->srv_lock);
794 return ERR_PTR(-EAGAIN);
795 }
796 spin_unlock(&server->srv_lock);
797
798 smb2_seq_num_into_buf(server, shdr);
799
800 mid = smb2_mid_entry_alloc(shdr, server);
801 if (mid == NULL) {
802 revert_current_mid_from_hdr(server, shdr);
803 return ERR_PTR(-ENOMEM);
804 }
805
806 rc = smb2_sign_rqst(rqst, server);
807 if (rc) {
808 revert_current_mid_from_hdr(server, shdr);
809 release_mid(server, mid);
810 return ERR_PTR(rc);
811 }
812
813 return mid;
814 }
815
816 int
smb3_crypto_aead_allocate(struct TCP_Server_Info * server)817 smb3_crypto_aead_allocate(struct TCP_Server_Info *server)
818 {
819 struct crypto_aead *tfm;
820
821 if (!server->secmech.enc) {
822 if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
823 (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
824 tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
825 else
826 tfm = crypto_alloc_aead("ccm(aes)", 0, 0);
827 if (IS_ERR(tfm)) {
828 cifs_server_dbg(VFS, "%s: Failed alloc encrypt aead\n",
829 __func__);
830 return PTR_ERR(tfm);
831 }
832 server->secmech.enc = tfm;
833 }
834
835 if (!server->secmech.dec) {
836 if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
837 (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
838 tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
839 else
840 tfm = crypto_alloc_aead("ccm(aes)", 0, 0);
841 if (IS_ERR(tfm)) {
842 crypto_free_aead(server->secmech.enc);
843 server->secmech.enc = NULL;
844 cifs_server_dbg(VFS, "%s: Failed to alloc decrypt aead\n",
845 __func__);
846 return PTR_ERR(tfm);
847 }
848 server->secmech.dec = tfm;
849 }
850
851 return 0;
852 }
853