1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifsglob.h" 12 #include "cifsproto.h" 13 #include "cifs_unicode.h" 14 #include "cifs_debug.h" 15 #include "ntlmssp.h" 16 #include "nterr.h" 17 #include <linux/utsname.h> 18 #include <linux/slab.h> 19 #include <linux/version.h> 20 #include "cifsfs.h" 21 #include "cifs_spnego.h" 22 #include "smb2proto.h" 23 #include "fs_context.h" 24 25 static int 26 cifs_ses_add_channel(struct cifs_ses *ses, 27 struct cifs_server_iface *iface); 28 29 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 30 { 31 int i; 32 33 spin_lock(&ses->chan_lock); 34 for (i = 0; i < ses->chan_count; i++) { 35 if (ses->chans[i].iface == iface) { 36 spin_unlock(&ses->chan_lock); 37 return true; 38 } 39 } 40 spin_unlock(&ses->chan_lock); 41 return false; 42 } 43 44 /* channel helper functions. assumed that chan_lock is held by caller. */ 45 46 int 47 cifs_ses_get_chan_index(struct cifs_ses *ses, 48 struct TCP_Server_Info *server) 49 { 50 unsigned int i; 51 52 /* if the channel is waiting for termination */ 53 if (server && server->terminate) 54 return CIFS_INVAL_CHAN_INDEX; 55 56 for (i = 0; i < ses->chan_count; i++) { 57 if (ses->chans[i].server == server) 58 return i; 59 } 60 61 /* If we didn't find the channel, it is likely a bug */ 62 if (server) 63 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 64 server->conn_id); 65 return CIFS_INVAL_CHAN_INDEX; 66 } 67 68 void 69 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 70 struct TCP_Server_Info *server) 71 { 72 int chan_index = cifs_ses_get_chan_index(ses, server); 73 74 if (chan_index == CIFS_INVAL_CHAN_INDEX) 75 return; 76 77 ses->chans[chan_index].in_reconnect = true; 78 } 79 80 void 81 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 82 struct TCP_Server_Info *server) 83 { 84 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 85 86 if (chan_index == CIFS_INVAL_CHAN_INDEX) 87 return; 88 89 ses->chans[chan_index].in_reconnect = false; 90 } 91 92 void 93 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 94 struct TCP_Server_Info *server) 95 { 96 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 97 98 if (chan_index == CIFS_INVAL_CHAN_INDEX) 99 return; 100 101 set_bit(chan_index, &ses->chans_need_reconnect); 102 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 103 chan_index, ses->chans_need_reconnect); 104 } 105 106 void 107 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 108 struct TCP_Server_Info *server) 109 { 110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 111 112 if (chan_index == CIFS_INVAL_CHAN_INDEX) 113 return; 114 115 clear_bit(chan_index, &ses->chans_need_reconnect); 116 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 117 chan_index, ses->chans_need_reconnect); 118 } 119 120 bool 121 cifs_chan_needs_reconnect(struct cifs_ses *ses, 122 struct TCP_Server_Info *server) 123 { 124 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 125 126 if (chan_index == CIFS_INVAL_CHAN_INDEX) 127 return true; /* err on the safer side */ 128 129 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 130 } 131 132 bool 133 cifs_chan_is_iface_active(struct cifs_ses *ses, 134 struct TCP_Server_Info *server) 135 { 136 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 137 138 if (chan_index == CIFS_INVAL_CHAN_INDEX) 139 return true; /* err on the safer side */ 140 141 return ses->chans[chan_index].iface && 142 ses->chans[chan_index].iface->is_active; 143 } 144 145 /* returns number of channels added */ 146 int cifs_try_adding_channels(struct cifs_ses *ses) 147 { 148 struct TCP_Server_Info *server = ses->server; 149 int old_chan_count, new_chan_count; 150 int left; 151 int rc = 0; 152 int tries = 0; 153 size_t iface_weight = 0, iface_min_speed = 0; 154 struct cifs_server_iface *iface = NULL, *niface = NULL; 155 struct cifs_server_iface *last_iface = NULL; 156 157 spin_lock(&ses->chan_lock); 158 159 new_chan_count = old_chan_count = ses->chan_count; 160 left = ses->chan_max - ses->chan_count; 161 162 if (left <= 0) { 163 spin_unlock(&ses->chan_lock); 164 cifs_dbg(FYI, 165 "ses already at max_channels (%zu), nothing to open\n", 166 ses->chan_max); 167 return 0; 168 } 169 170 if (server->dialect < SMB30_PROT_ID) { 171 spin_unlock(&ses->chan_lock); 172 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 173 return 0; 174 } 175 176 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 177 spin_unlock(&ses->chan_lock); 178 cifs_server_dbg(VFS, "no multichannel support\n"); 179 return 0; 180 } 181 spin_unlock(&ses->chan_lock); 182 183 while (left > 0) { 184 185 tries++; 186 if (tries > 3*ses->chan_max) { 187 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 188 left); 189 break; 190 } 191 192 spin_lock(&ses->iface_lock); 193 if (!ses->iface_count) { 194 spin_unlock(&ses->iface_lock); 195 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", 196 ses->server->hostname); 197 break; 198 } 199 200 if (!iface) 201 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 202 iface_head); 203 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 204 iface_head); 205 iface_min_speed = last_iface->speed; 206 207 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 208 iface_head) { 209 /* do not mix rdma and non-rdma interfaces */ 210 if (iface->rdma_capable != ses->server->rdma) 211 continue; 212 213 /* skip ifaces that are unusable */ 214 if (!iface->is_active || 215 (is_ses_using_iface(ses, iface) && 216 !iface->rss_capable)) 217 continue; 218 219 /* check if we already allocated enough channels */ 220 iface_weight = iface->speed / iface_min_speed; 221 222 if (iface->weight_fulfilled >= iface_weight) 223 continue; 224 225 /* take ref before unlock */ 226 kref_get(&iface->refcount); 227 228 spin_unlock(&ses->iface_lock); 229 rc = cifs_ses_add_channel(ses, iface); 230 spin_lock(&ses->iface_lock); 231 232 if (rc) { 233 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 234 &iface->sockaddr, 235 rc); 236 kref_put(&iface->refcount, release_iface); 237 /* failure to add chan should increase weight */ 238 iface->weight_fulfilled++; 239 continue; 240 } 241 242 iface->num_channels++; 243 iface->weight_fulfilled++; 244 cifs_info("successfully opened new channel on iface:%pIS\n", 245 &iface->sockaddr); 246 break; 247 } 248 249 /* reached end of list. reset weight_fulfilled and start over */ 250 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 251 list_for_each_entry(iface, &ses->iface_list, iface_head) 252 iface->weight_fulfilled = 0; 253 spin_unlock(&ses->iface_lock); 254 iface = NULL; 255 continue; 256 } 257 spin_unlock(&ses->iface_lock); 258 259 left--; 260 new_chan_count++; 261 } 262 263 return new_chan_count - old_chan_count; 264 } 265 266 /* 267 * cifs_decrease_secondary_channels - Reduce the number of active secondary channels 268 * @ses: pointer to the CIFS session structure 269 * @disable_mchan: if true, reduce to a single channel; if false, reduce to chan_max 270 * 271 * This function disables and cleans up extra secondary channels for a CIFS session. 272 * If called during reconfiguration, it reduces the channel count to the new maximum (chan_max). 273 * Otherwise, it disables all but the primary channel. 274 */ 275 void 276 cifs_decrease_secondary_channels(struct cifs_ses *ses, bool disable_mchan) 277 { 278 int i, chan_count; 279 struct TCP_Server_Info *server; 280 struct cifs_server_iface *iface; 281 282 spin_lock(&ses->chan_lock); 283 chan_count = ses->chan_count; 284 if (chan_count == 1) 285 goto done; 286 287 /* Update the chan_count to the new maximum */ 288 if (disable_mchan) { 289 cifs_dbg(FYI, "server does not support multichannel anymore.\n"); 290 ses->chan_count = 1; 291 } else { 292 ses->chan_count = ses->chan_max; 293 } 294 295 /* Disable all secondary channels beyond the new chan_count */ 296 for (i = ses->chan_count ; i < chan_count; i++) { 297 iface = ses->chans[i].iface; 298 server = ses->chans[i].server; 299 300 /* 301 * remove these references first, since we need to unlock 302 * the chan_lock here, since iface_lock is a higher lock 303 */ 304 ses->chans[i].iface = NULL; 305 ses->chans[i].server = NULL; 306 spin_unlock(&ses->chan_lock); 307 308 if (iface) { 309 spin_lock(&ses->iface_lock); 310 iface->num_channels--; 311 if (iface->weight_fulfilled) 312 iface->weight_fulfilled--; 313 kref_put(&iface->refcount, release_iface); 314 spin_unlock(&ses->iface_lock); 315 } 316 317 if (server) { 318 if (!server->terminate) { 319 server->terminate = true; 320 cifs_signal_cifsd_for_reconnect(server, false); 321 } 322 cifs_put_tcp_session(server, false); 323 } 324 325 spin_lock(&ses->chan_lock); 326 } 327 328 /* For extra secondary channels, reset the need reconnect bit */ 329 if (ses->chan_count == 1) { 330 cifs_dbg(VFS, "Disable all secondary channels\n"); 331 ses->chans_need_reconnect &= 1; 332 } else { 333 cifs_dbg(VFS, "Disable extra secondary channels\n"); 334 ses->chans_need_reconnect &= ((1UL << ses->chan_max) - 1); 335 } 336 337 done: 338 spin_unlock(&ses->chan_lock); 339 } 340 341 /* update the iface for the channel if necessary. */ 342 void 343 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 344 { 345 unsigned int chan_index; 346 size_t iface_weight = 0, iface_min_speed = 0; 347 struct cifs_server_iface *iface = NULL; 348 struct cifs_server_iface *old_iface = NULL; 349 struct cifs_server_iface *last_iface = NULL; 350 struct sockaddr_storage ss; 351 int retry = 0; 352 353 spin_lock(&ses->chan_lock); 354 chan_index = cifs_ses_get_chan_index(ses, server); 355 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 356 spin_unlock(&ses->chan_lock); 357 return; 358 } 359 360 if (ses->chans[chan_index].iface) { 361 old_iface = ses->chans[chan_index].iface; 362 if (old_iface->is_active) { 363 spin_unlock(&ses->chan_lock); 364 return; 365 } 366 } 367 spin_unlock(&ses->chan_lock); 368 369 spin_lock(&server->srv_lock); 370 ss = server->dstaddr; 371 spin_unlock(&server->srv_lock); 372 373 spin_lock(&ses->iface_lock); 374 if (!ses->iface_count) { 375 spin_unlock(&ses->iface_lock); 376 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname); 377 return; 378 } 379 380 try_again: 381 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 382 iface_head); 383 iface_min_speed = last_iface->speed; 384 385 /* then look for a new one */ 386 list_for_each_entry(iface, &ses->iface_list, iface_head) { 387 if (!chan_index) { 388 /* if we're trying to get the updated iface for primary channel */ 389 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 390 (struct sockaddr *) &iface->sockaddr)) 391 continue; 392 393 kref_get(&iface->refcount); 394 break; 395 } 396 397 /* do not mix rdma and non-rdma interfaces */ 398 if (iface->rdma_capable != server->rdma) 399 continue; 400 401 if (!iface->is_active || 402 (is_ses_using_iface(ses, iface) && 403 !iface->rss_capable)) { 404 continue; 405 } 406 407 /* check if we already allocated enough channels */ 408 iface_weight = iface->speed / iface_min_speed; 409 410 if (iface->weight_fulfilled >= iface_weight) 411 continue; 412 413 kref_get(&iface->refcount); 414 break; 415 } 416 417 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 418 list_for_each_entry(iface, &ses->iface_list, iface_head) 419 iface->weight_fulfilled = 0; 420 421 /* see if it can be satisfied in second attempt */ 422 if (!retry++) 423 goto try_again; 424 425 iface = NULL; 426 cifs_dbg(FYI, "unable to find a suitable iface\n"); 427 } 428 429 if (!iface) { 430 if (!chan_index) 431 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 432 &ss); 433 else { 434 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n", 435 &old_iface->sockaddr); 436 } 437 438 spin_unlock(&ses->iface_lock); 439 return; 440 } 441 442 /* now drop the ref to the current iface */ 443 if (old_iface) { 444 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 445 &old_iface->sockaddr, 446 &iface->sockaddr); 447 448 old_iface->num_channels--; 449 if (old_iface->weight_fulfilled) 450 old_iface->weight_fulfilled--; 451 iface->num_channels++; 452 iface->weight_fulfilled++; 453 454 kref_put(&old_iface->refcount, release_iface); 455 } else if (!chan_index) { 456 /* special case: update interface for primary channel */ 457 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 458 &iface->sockaddr); 459 iface->num_channels++; 460 iface->weight_fulfilled++; 461 } 462 spin_unlock(&ses->iface_lock); 463 464 spin_lock(&ses->chan_lock); 465 chan_index = cifs_ses_get_chan_index(ses, server); 466 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 467 spin_unlock(&ses->chan_lock); 468 return; 469 } 470 471 ses->chans[chan_index].iface = iface; 472 spin_unlock(&ses->chan_lock); 473 474 spin_lock(&server->srv_lock); 475 memcpy(&server->dstaddr, &iface->sockaddr, sizeof(server->dstaddr)); 476 spin_unlock(&server->srv_lock); 477 } 478 479 static int 480 cifs_ses_add_channel(struct cifs_ses *ses, 481 struct cifs_server_iface *iface) 482 { 483 struct TCP_Server_Info *chan_server; 484 struct cifs_chan *chan; 485 struct smb3_fs_context *ctx; 486 static const char unc_fmt[] = "\\%s\\foo"; 487 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 488 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 489 size_t len; 490 int rc; 491 unsigned int xid = get_xid(); 492 493 if (iface->sockaddr.ss_family == AF_INET) 494 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 495 ses, iface->speed, str_yes_no(iface->rdma_capable), 496 &ipv4->sin_addr); 497 else 498 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 499 ses, iface->speed, str_yes_no(iface->rdma_capable), 500 &ipv6->sin6_addr); 501 502 /* 503 * Setup a ctx with mostly the same info as the existing 504 * session and overwrite it with the requested iface data. 505 * 506 * We need to setup at least the fields used for negprot and 507 * sesssetup. 508 * 509 * We only need the ctx here, so we can reuse memory from 510 * the session and server without caring about memory 511 * management. 512 */ 513 ctx = kzalloc_obj(*ctx); 514 if (!ctx) { 515 rc = -ENOMEM; 516 goto out_free_xid; 517 } 518 519 /* Always make new connection for now (TODO?) */ 520 ctx->nosharesock = true; 521 522 /* Auth */ 523 ctx->domainauto = ses->domainAuto; 524 ctx->domainname = ses->domainName; 525 526 ctx->server_hostname = ses->server->hostname; 527 528 ctx->username = ses->user_name; 529 ctx->password = ses->password; 530 ctx->sectype = ses->sectype; 531 ctx->sign = ses->sign; 532 ctx->unicode = ses->unicode; 533 534 /* UNC and paths */ 535 /* XXX: Use ses->server->hostname? */ 536 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 537 ctx->UNC = kzalloc(len, GFP_KERNEL); 538 if (!ctx->UNC) { 539 rc = -ENOMEM; 540 goto out_free_ctx; 541 } 542 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 543 ctx->prepath = ""; 544 545 /* Reuse same version as master connection */ 546 ctx->vals = ses->server->vals; 547 ctx->ops = ses->server->ops; 548 549 ctx->noblocksnd = ses->server->noblocksnd; 550 ctx->noautotune = ses->server->noautotune; 551 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 552 ctx->echo_interval = ses->server->echo_interval / HZ; 553 ctx->max_credits = ses->server->max_credits; 554 ctx->min_offload = ses->server->min_offload; 555 ctx->compress = ses->server->compression.requested; 556 ctx->dfs_conn = ses->server->dfs_conn; 557 ctx->ignore_signature = ses->server->ignore_signature; 558 ctx->leaf_fullpath = ses->server->leaf_fullpath; 559 ctx->rootfs = ses->server->noblockcnt; 560 ctx->retrans = ses->server->retrans; 561 562 /* 563 * This will be used for encoding/decoding user/domain/pw 564 * during sess setup auth. 565 */ 566 ctx->local_nls = ses->local_nls; 567 568 /* Use RDMA if possible */ 569 ctx->rdma = iface->rdma_capable; 570 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 571 572 /* reuse master con client guid */ 573 memcpy(&ctx->client_guid, ses->server->client_guid, 574 sizeof(ctx->client_guid)); 575 ctx->use_client_guid = true; 576 577 chan_server = cifs_get_tcp_session(ctx, ses->server); 578 579 spin_lock(&ses->chan_lock); 580 chan = &ses->chans[ses->chan_count]; 581 chan->server = chan_server; 582 if (IS_ERR(chan->server)) { 583 rc = PTR_ERR(chan->server); 584 chan->server = NULL; 585 spin_unlock(&ses->chan_lock); 586 goto out; 587 } 588 chan->iface = iface; 589 ses->chan_count++; 590 atomic_set(&ses->chan_seq, 0); 591 592 /* Mark this channel as needing connect/setup */ 593 cifs_chan_set_need_reconnect(ses, chan->server); 594 595 spin_unlock(&ses->chan_lock); 596 597 mutex_lock(&ses->session_mutex); 598 599 rc = cifs_negotiate_protocol(xid, ses, chan->server); 600 if (!rc) 601 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 602 603 mutex_unlock(&ses->session_mutex); 604 605 out: 606 if (rc && chan->server) { 607 cifs_put_tcp_session(chan->server, 0); 608 609 spin_lock(&ses->chan_lock); 610 611 /* we rely on all bits beyond chan_count to be clear */ 612 cifs_chan_clear_need_reconnect(ses, chan->server); 613 ses->chan_count--; 614 /* 615 * chan_count should never reach 0 as at least the primary 616 * channel is always allocated 617 */ 618 WARN_ON(ses->chan_count < 1); 619 spin_unlock(&ses->chan_lock); 620 } 621 622 kfree(ctx->UNC); 623 out_free_ctx: 624 kfree(ctx); 625 out_free_xid: 626 free_xid(xid); 627 return rc; 628 } 629 630 631 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 632 struct cifs_ses *ses) 633 { 634 unsigned int tioffset; /* challenge message target info area */ 635 unsigned int tilen; /* challenge message target info area length */ 636 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 637 __u32 server_flags; 638 639 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 640 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 641 return -EINVAL; 642 } 643 644 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 645 cifs_dbg(VFS, "blob signature incorrect %s\n", 646 pblob->Signature); 647 return -EINVAL; 648 } 649 if (pblob->MessageType != NtLmChallenge) { 650 cifs_dbg(VFS, "Incorrect message type %d\n", 651 pblob->MessageType); 652 return -EINVAL; 653 } 654 655 server_flags = le32_to_cpu(pblob->NegotiateFlags); 656 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 657 ses->ntlmssp->client_flags, server_flags); 658 659 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 660 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 661 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 662 __func__); 663 return -EINVAL; 664 } 665 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 666 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 667 return -EINVAL; 668 } 669 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 670 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 671 __func__); 672 return -EOPNOTSUPP; 673 } 674 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 675 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 676 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 677 __func__); 678 679 ses->ntlmssp->server_flags = server_flags; 680 681 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 682 /* 683 * In particular we can examine sign flags 684 * 685 * BB spec says that if AvId field of MsvAvTimestamp is populated then 686 * we must set the MIC field of the AUTHENTICATE_MESSAGE 687 */ 688 689 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 690 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 691 if (tioffset > blob_len || tioffset + tilen > blob_len) { 692 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 693 tioffset, tilen); 694 return -EINVAL; 695 } 696 if (tilen) { 697 kfree_sensitive(ses->auth_key.response); 698 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 699 GFP_KERNEL); 700 if (!ses->auth_key.response) { 701 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 702 return -ENOMEM; 703 } 704 ses->auth_key.len = tilen; 705 } 706 707 return 0; 708 } 709 710 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 711 { 712 int sz = base_size + ses->auth_key.len 713 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 714 715 if (ses->domainName) 716 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 717 else 718 sz += sizeof(__le16); 719 720 if (ses->user_name) 721 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 722 else 723 sz += sizeof(__le16); 724 725 if (ses->workstation_name[0]) 726 sz += sizeof(__le16) * strnlen(ses->workstation_name, 727 ntlmssp_workstation_name_size(ses)); 728 else 729 sz += sizeof(__le16); 730 731 return sz; 732 } 733 734 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 735 char *str_value, 736 int str_length, 737 unsigned char *pstart, 738 unsigned char **pcur, 739 const struct nls_table *nls_cp) 740 { 741 unsigned char *tmp = pstart; 742 int len; 743 744 if (!pbuf) 745 return; 746 747 if (!pcur) 748 pcur = &tmp; 749 750 if (!str_value) { 751 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 752 pbuf->Length = 0; 753 pbuf->MaximumLength = 0; 754 *pcur += sizeof(__le16); 755 } else { 756 len = cifs_strtoUTF16((__le16 *)*pcur, 757 str_value, 758 str_length, 759 nls_cp); 760 len *= sizeof(__le16); 761 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 762 pbuf->Length = cpu_to_le16(len); 763 pbuf->MaximumLength = cpu_to_le16(len); 764 *pcur += len; 765 } 766 } 767 768 /* BB Move to ntlmssp.c eventually */ 769 770 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 771 u16 *buflen, 772 struct cifs_ses *ses, 773 struct TCP_Server_Info *server, 774 const struct nls_table *nls_cp) 775 { 776 int rc = 0; 777 NEGOTIATE_MESSAGE *sec_blob; 778 __u32 flags; 779 unsigned char *tmp; 780 int len; 781 782 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 783 *pbuffer = kmalloc(len, GFP_KERNEL); 784 if (!*pbuffer) { 785 rc = -ENOMEM; 786 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 787 *buflen = 0; 788 goto setup_ntlm_neg_ret; 789 } 790 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 791 792 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 793 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 794 sec_blob->MessageType = NtLmNegotiate; 795 796 /* BB is NTLMV2 session security format easier to use here? */ 797 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 798 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 799 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 800 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 801 NTLMSSP_NEGOTIATE_SIGN; 802 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 803 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 804 805 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 806 ses->ntlmssp->client_flags = flags; 807 sec_blob->NegotiateFlags = cpu_to_le32(flags); 808 809 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 810 cifs_security_buffer_from_str(&sec_blob->DomainName, 811 NULL, 812 CIFS_MAX_DOMAINNAME_LEN, 813 *pbuffer, &tmp, 814 nls_cp); 815 816 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 817 NULL, 818 CIFS_MAX_WORKSTATION_LEN, 819 *pbuffer, &tmp, 820 nls_cp); 821 822 *buflen = tmp - *pbuffer; 823 setup_ntlm_neg_ret: 824 return rc; 825 } 826 827 /* 828 * Build ntlmssp blob with additional fields, such as version, 829 * supported by modern servers. For safety limit to SMB3 or later 830 * See notes in MS-NLMP Section 2.2.2.1 e.g. 831 */ 832 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 833 u16 *buflen, 834 struct cifs_ses *ses, 835 struct TCP_Server_Info *server, 836 const struct nls_table *nls_cp) 837 { 838 int rc = 0; 839 struct negotiate_message *sec_blob; 840 __u32 flags; 841 unsigned char *tmp; 842 int len; 843 844 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 845 *pbuffer = kmalloc(len, GFP_KERNEL); 846 if (!*pbuffer) { 847 rc = -ENOMEM; 848 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 849 *buflen = 0; 850 goto setup_ntlm_smb3_neg_ret; 851 } 852 sec_blob = (struct negotiate_message *)*pbuffer; 853 854 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 855 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 856 sec_blob->MessageType = NtLmNegotiate; 857 858 /* BB is NTLMV2 session security format easier to use here? */ 859 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 860 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 861 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 862 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 863 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 864 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 865 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 866 867 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 868 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 869 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 870 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 871 872 tmp = *pbuffer + sizeof(struct negotiate_message); 873 ses->ntlmssp->client_flags = flags; 874 sec_blob->NegotiateFlags = cpu_to_le32(flags); 875 876 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 877 cifs_security_buffer_from_str(&sec_blob->DomainName, 878 NULL, 879 CIFS_MAX_DOMAINNAME_LEN, 880 *pbuffer, &tmp, 881 nls_cp); 882 883 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 884 NULL, 885 CIFS_MAX_WORKSTATION_LEN, 886 *pbuffer, &tmp, 887 nls_cp); 888 889 *buflen = tmp - *pbuffer; 890 setup_ntlm_smb3_neg_ret: 891 return rc; 892 } 893 894 895 /* See MS-NLMP 2.2.1.3 */ 896 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 897 u16 *buflen, 898 struct cifs_ses *ses, 899 struct TCP_Server_Info *server, 900 const struct nls_table *nls_cp) 901 { 902 int rc; 903 AUTHENTICATE_MESSAGE *sec_blob; 904 __u32 flags; 905 unsigned char *tmp; 906 int len; 907 908 rc = setup_ntlmv2_rsp(ses, nls_cp); 909 if (rc) { 910 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 911 *buflen = 0; 912 goto setup_ntlmv2_ret; 913 } 914 915 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 916 *pbuffer = kmalloc(len, GFP_KERNEL); 917 if (!*pbuffer) { 918 rc = -ENOMEM; 919 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 920 *buflen = 0; 921 goto setup_ntlmv2_ret; 922 } 923 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 924 925 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 926 sec_blob->MessageType = NtLmAuthenticate; 927 928 /* send version information in ntlmssp authenticate also */ 929 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 930 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION | 931 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 932 933 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 934 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 935 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 936 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 937 938 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 939 sec_blob->NegotiateFlags = cpu_to_le32(flags); 940 941 sec_blob->LmChallengeResponse.BufferOffset = 942 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 943 sec_blob->LmChallengeResponse.Length = 0; 944 sec_blob->LmChallengeResponse.MaximumLength = 0; 945 946 sec_blob->NtChallengeResponse.BufferOffset = 947 cpu_to_le32(tmp - *pbuffer); 948 if (ses->user_name != NULL) { 949 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 950 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 951 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 952 953 sec_blob->NtChallengeResponse.Length = 954 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 955 sec_blob->NtChallengeResponse.MaximumLength = 956 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 957 } else { 958 /* 959 * don't send an NT Response for anonymous access 960 */ 961 sec_blob->NtChallengeResponse.Length = 0; 962 sec_blob->NtChallengeResponse.MaximumLength = 0; 963 } 964 965 cifs_security_buffer_from_str(&sec_blob->DomainName, 966 ses->domainName, 967 CIFS_MAX_DOMAINNAME_LEN, 968 *pbuffer, &tmp, 969 nls_cp); 970 971 cifs_security_buffer_from_str(&sec_blob->UserName, 972 ses->user_name, 973 CIFS_MAX_USERNAME_LEN, 974 *pbuffer, &tmp, 975 nls_cp); 976 977 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 978 ses->workstation_name, 979 ntlmssp_workstation_name_size(ses), 980 *pbuffer, &tmp, 981 nls_cp); 982 983 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 984 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 985 !calc_seckey(ses)) { 986 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 987 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 988 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 989 sec_blob->SessionKey.MaximumLength = 990 cpu_to_le16(CIFS_CPHTXT_SIZE); 991 tmp += CIFS_CPHTXT_SIZE; 992 } else { 993 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 994 sec_blob->SessionKey.Length = 0; 995 sec_blob->SessionKey.MaximumLength = 0; 996 } 997 998 *buflen = tmp - *pbuffer; 999 setup_ntlmv2_ret: 1000 return rc; 1001 } 1002 1003 enum securityEnum 1004 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1005 { 1006 switch (server->negflavor) { 1007 case CIFS_NEGFLAVOR_EXTENDED: 1008 switch (requested) { 1009 case Kerberos: 1010 case RawNTLMSSP: 1011 case IAKerb: 1012 return requested; 1013 case Unspecified: 1014 if (server->sec_ntlmssp && 1015 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1016 return RawNTLMSSP; 1017 if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) && 1018 (global_secflags & CIFSSEC_MAY_KRB5)) 1019 return Kerberos; 1020 fallthrough; 1021 default: 1022 return Unspecified; 1023 } 1024 case CIFS_NEGFLAVOR_UNENCAP: 1025 switch (requested) { 1026 case NTLMv2: 1027 return requested; 1028 case Unspecified: 1029 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1030 return NTLMv2; 1031 break; 1032 default: 1033 break; 1034 } 1035 fallthrough; 1036 default: 1037 return Unspecified; 1038 } 1039 } 1040