1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 *
4 * SMB/CIFS session setup handling routines
5 *
6 * Copyright (c) International Business Machines Corp., 2006, 2009
7 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 */
10
11 #include "cifsglob.h"
12 #include "cifsproto.h"
13 #include "cifs_unicode.h"
14 #include "cifs_debug.h"
15 #include "ntlmssp.h"
16 #include "nterr.h"
17 #include <linux/utsname.h>
18 #include <linux/slab.h>
19 #include <linux/version.h>
20 #include "cifsfs.h"
21 #include "cifs_spnego.h"
22 #include "smb2proto.h"
23 #include "fs_context.h"
24
25 static int
26 cifs_ses_add_channel(struct cifs_ses *ses,
27 struct cifs_server_iface *iface);
28
is_ses_using_iface(struct cifs_ses * ses,struct cifs_server_iface * iface)29 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface)
30 {
31 int i;
32
33 spin_lock(&ses->chan_lock);
34 for (i = 0; i < ses->chan_count; i++) {
35 if (ses->chans[i].iface == iface) {
36 spin_unlock(&ses->chan_lock);
37 return true;
38 }
39 }
40 spin_unlock(&ses->chan_lock);
41 return false;
42 }
43
44 /* channel helper functions. assumed that chan_lock is held by caller. */
45
46 int
cifs_ses_get_chan_index(struct cifs_ses * ses,struct TCP_Server_Info * server)47 cifs_ses_get_chan_index(struct cifs_ses *ses,
48 struct TCP_Server_Info *server)
49 {
50 unsigned int i;
51
52 /* if the channel is waiting for termination */
53 if (server && server->terminate)
54 return CIFS_INVAL_CHAN_INDEX;
55
56 for (i = 0; i < ses->chan_count; i++) {
57 if (ses->chans[i].server == server)
58 return i;
59 }
60
61 /* If we didn't find the channel, it is likely a bug */
62 if (server)
63 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx",
64 server->conn_id);
65 return CIFS_INVAL_CHAN_INDEX;
66 }
67
68 void
cifs_chan_set_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)69 cifs_chan_set_in_reconnect(struct cifs_ses *ses,
70 struct TCP_Server_Info *server)
71 {
72 int chan_index = cifs_ses_get_chan_index(ses, server);
73
74 if (chan_index == CIFS_INVAL_CHAN_INDEX)
75 return;
76
77 ses->chans[chan_index].in_reconnect = true;
78 }
79
80 void
cifs_chan_clear_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)81 cifs_chan_clear_in_reconnect(struct cifs_ses *ses,
82 struct TCP_Server_Info *server)
83 {
84 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
85
86 if (chan_index == CIFS_INVAL_CHAN_INDEX)
87 return;
88
89 ses->chans[chan_index].in_reconnect = false;
90 }
91
92 void
cifs_chan_set_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)93 cifs_chan_set_need_reconnect(struct cifs_ses *ses,
94 struct TCP_Server_Info *server)
95 {
96 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
97
98 if (chan_index == CIFS_INVAL_CHAN_INDEX)
99 return;
100
101 set_bit(chan_index, &ses->chans_need_reconnect);
102 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n",
103 chan_index, ses->chans_need_reconnect);
104 }
105
106 void
cifs_chan_clear_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)107 cifs_chan_clear_need_reconnect(struct cifs_ses *ses,
108 struct TCP_Server_Info *server)
109 {
110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
111
112 if (chan_index == CIFS_INVAL_CHAN_INDEX)
113 return;
114
115 clear_bit(chan_index, &ses->chans_need_reconnect);
116 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n",
117 chan_index, ses->chans_need_reconnect);
118 }
119
120 bool
cifs_chan_needs_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)121 cifs_chan_needs_reconnect(struct cifs_ses *ses,
122 struct TCP_Server_Info *server)
123 {
124 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
125
126 if (chan_index == CIFS_INVAL_CHAN_INDEX)
127 return true; /* err on the safer side */
128
129 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index);
130 }
131
132 bool
cifs_chan_is_iface_active(struct cifs_ses * ses,struct TCP_Server_Info * server)133 cifs_chan_is_iface_active(struct cifs_ses *ses,
134 struct TCP_Server_Info *server)
135 {
136 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
137
138 if (chan_index == CIFS_INVAL_CHAN_INDEX)
139 return true; /* err on the safer side */
140
141 return ses->chans[chan_index].iface &&
142 ses->chans[chan_index].iface->is_active;
143 }
144
145 /* returns number of channels added */
cifs_try_adding_channels(struct cifs_ses * ses)146 int cifs_try_adding_channels(struct cifs_ses *ses)
147 {
148 struct TCP_Server_Info *server = ses->server;
149 int old_chan_count, new_chan_count;
150 int left;
151 int rc = 0;
152 int tries = 0;
153 size_t iface_weight = 0, iface_min_speed = 0;
154 struct cifs_server_iface *iface = NULL, *niface = NULL;
155 struct cifs_server_iface *last_iface = NULL;
156
157 spin_lock(&ses->chan_lock);
158
159 new_chan_count = old_chan_count = ses->chan_count;
160 left = ses->chan_max - ses->chan_count;
161
162 if (left <= 0) {
163 spin_unlock(&ses->chan_lock);
164 cifs_dbg(FYI,
165 "ses already at max_channels (%zu), nothing to open\n",
166 ses->chan_max);
167 return 0;
168 }
169
170 if (server->dialect < SMB30_PROT_ID) {
171 spin_unlock(&ses->chan_lock);
172 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
173 return 0;
174 }
175
176 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
177 spin_unlock(&ses->chan_lock);
178 cifs_server_dbg(VFS, "no multichannel support\n");
179 return 0;
180 }
181 spin_unlock(&ses->chan_lock);
182
183 while (left > 0) {
184
185 tries++;
186 if (tries > 3*ses->chan_max) {
187 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n",
188 left);
189 break;
190 }
191
192 spin_lock(&ses->iface_lock);
193 if (!ses->iface_count) {
194 spin_unlock(&ses->iface_lock);
195 cifs_dbg(ONCE, "server %s does not advertise interfaces\n",
196 ses->server->hostname);
197 break;
198 }
199
200 if (!iface)
201 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface,
202 iface_head);
203 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
204 iface_head);
205 iface_min_speed = last_iface->speed;
206
207 list_for_each_entry_safe_from(iface, niface, &ses->iface_list,
208 iface_head) {
209 /* do not mix rdma and non-rdma interfaces */
210 if (iface->rdma_capable != ses->server->rdma)
211 continue;
212
213 /* skip ifaces that are unusable */
214 if (!iface->is_active ||
215 (is_ses_using_iface(ses, iface) &&
216 !iface->rss_capable))
217 continue;
218
219 /* check if we already allocated enough channels */
220 iface_weight = iface->speed / iface_min_speed;
221
222 if (iface->weight_fulfilled >= iface_weight)
223 continue;
224
225 /* take ref before unlock */
226 kref_get(&iface->refcount);
227
228 spin_unlock(&ses->iface_lock);
229 rc = cifs_ses_add_channel(ses, iface);
230 spin_lock(&ses->iface_lock);
231
232 if (rc) {
233 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n",
234 &iface->sockaddr,
235 rc);
236 kref_put(&iface->refcount, release_iface);
237 /* failure to add chan should increase weight */
238 iface->weight_fulfilled++;
239 continue;
240 }
241
242 iface->num_channels++;
243 iface->weight_fulfilled++;
244 cifs_info("successfully opened new channel on iface:%pIS\n",
245 &iface->sockaddr);
246 break;
247 }
248
249 /* reached end of list. reset weight_fulfilled and start over */
250 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
251 list_for_each_entry(iface, &ses->iface_list, iface_head)
252 iface->weight_fulfilled = 0;
253 spin_unlock(&ses->iface_lock);
254 iface = NULL;
255 continue;
256 }
257 spin_unlock(&ses->iface_lock);
258
259 left--;
260 new_chan_count++;
261 }
262
263 return new_chan_count - old_chan_count;
264 }
265
266 /*
267 * cifs_decrease_secondary_channels - Reduce the number of active secondary channels
268 * @ses: pointer to the CIFS session structure
269 * @disable_mchan: if true, reduce to a single channel; if false, reduce to chan_max
270 *
271 * This function disables and cleans up extra secondary channels for a CIFS session.
272 * If called during reconfiguration, it reduces the channel count to the new maximum (chan_max).
273 * Otherwise, it disables all but the primary channel.
274 */
275 void
cifs_decrease_secondary_channels(struct cifs_ses * ses,bool disable_mchan)276 cifs_decrease_secondary_channels(struct cifs_ses *ses, bool disable_mchan)
277 {
278 int i, chan_count;
279 struct TCP_Server_Info *server;
280 struct cifs_server_iface *iface;
281
282 spin_lock(&ses->chan_lock);
283 chan_count = ses->chan_count;
284 if (chan_count == 1)
285 goto done;
286
287 /* Update the chan_count to the new maximum */
288 if (disable_mchan) {
289 cifs_dbg(FYI, "server does not support multichannel anymore.\n");
290 ses->chan_count = 1;
291 } else {
292 ses->chan_count = ses->chan_max;
293 }
294
295 /* Disable all secondary channels beyond the new chan_count */
296 for (i = ses->chan_count ; i < chan_count; i++) {
297 iface = ses->chans[i].iface;
298 server = ses->chans[i].server;
299
300 /*
301 * remove these references first, since we need to unlock
302 * the chan_lock here, since iface_lock is a higher lock
303 */
304 ses->chans[i].iface = NULL;
305 ses->chans[i].server = NULL;
306 spin_unlock(&ses->chan_lock);
307
308 if (iface) {
309 spin_lock(&ses->iface_lock);
310 iface->num_channels--;
311 if (iface->weight_fulfilled)
312 iface->weight_fulfilled--;
313 kref_put(&iface->refcount, release_iface);
314 spin_unlock(&ses->iface_lock);
315 }
316
317 if (server) {
318 if (!server->terminate) {
319 server->terminate = true;
320 cifs_signal_cifsd_for_reconnect(server, false);
321 }
322 cifs_put_tcp_session(server, false);
323 }
324
325 spin_lock(&ses->chan_lock);
326 }
327
328 /* For extra secondary channels, reset the need reconnect bit */
329 if (ses->chan_count == 1) {
330 cifs_dbg(VFS, "Disable all secondary channels\n");
331 ses->chans_need_reconnect &= 1;
332 } else {
333 cifs_dbg(VFS, "Disable extra secondary channels\n");
334 ses->chans_need_reconnect &= ((1UL << ses->chan_max) - 1);
335 }
336
337 done:
338 spin_unlock(&ses->chan_lock);
339 }
340
341 /* update the iface for the channel if necessary. */
342 void
cifs_chan_update_iface(struct cifs_ses * ses,struct TCP_Server_Info * server)343 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server)
344 {
345 unsigned int chan_index;
346 size_t iface_weight = 0, iface_min_speed = 0;
347 struct cifs_server_iface *iface = NULL;
348 struct cifs_server_iface *old_iface = NULL;
349 struct cifs_server_iface *last_iface = NULL;
350 struct sockaddr_storage ss;
351 int retry = 0;
352
353 spin_lock(&ses->chan_lock);
354 chan_index = cifs_ses_get_chan_index(ses, server);
355 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
356 spin_unlock(&ses->chan_lock);
357 return;
358 }
359
360 if (ses->chans[chan_index].iface) {
361 old_iface = ses->chans[chan_index].iface;
362 if (old_iface->is_active) {
363 spin_unlock(&ses->chan_lock);
364 return;
365 }
366 }
367 spin_unlock(&ses->chan_lock);
368
369 spin_lock(&server->srv_lock);
370 ss = server->dstaddr;
371 spin_unlock(&server->srv_lock);
372
373 spin_lock(&ses->iface_lock);
374 if (!ses->iface_count) {
375 spin_unlock(&ses->iface_lock);
376 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname);
377 return;
378 }
379
380 try_again:
381 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
382 iface_head);
383 iface_min_speed = last_iface->speed;
384
385 /* then look for a new one */
386 list_for_each_entry(iface, &ses->iface_list, iface_head) {
387 if (!chan_index) {
388 /* if we're trying to get the updated iface for primary channel */
389 if (!cifs_match_ipaddr((struct sockaddr *) &ss,
390 (struct sockaddr *) &iface->sockaddr))
391 continue;
392
393 kref_get(&iface->refcount);
394 break;
395 }
396
397 /* do not mix rdma and non-rdma interfaces */
398 if (iface->rdma_capable != server->rdma)
399 continue;
400
401 if (!iface->is_active ||
402 (is_ses_using_iface(ses, iface) &&
403 !iface->rss_capable)) {
404 continue;
405 }
406
407 /* check if we already allocated enough channels */
408 iface_weight = iface->speed / iface_min_speed;
409
410 if (iface->weight_fulfilled >= iface_weight)
411 continue;
412
413 kref_get(&iface->refcount);
414 break;
415 }
416
417 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
418 list_for_each_entry(iface, &ses->iface_list, iface_head)
419 iface->weight_fulfilled = 0;
420
421 /* see if it can be satisfied in second attempt */
422 if (!retry++)
423 goto try_again;
424
425 iface = NULL;
426 cifs_dbg(FYI, "unable to find a suitable iface\n");
427 }
428
429 if (!iface) {
430 if (!chan_index)
431 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n",
432 &ss);
433 else {
434 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n",
435 &old_iface->sockaddr);
436 }
437
438 spin_unlock(&ses->iface_lock);
439 return;
440 }
441
442 /* now drop the ref to the current iface */
443 if (old_iface) {
444 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
445 &old_iface->sockaddr,
446 &iface->sockaddr);
447
448 old_iface->num_channels--;
449 if (old_iface->weight_fulfilled)
450 old_iface->weight_fulfilled--;
451 iface->num_channels++;
452 iface->weight_fulfilled++;
453
454 kref_put(&old_iface->refcount, release_iface);
455 } else if (!chan_index) {
456 /* special case: update interface for primary channel */
457 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n",
458 &iface->sockaddr);
459 iface->num_channels++;
460 iface->weight_fulfilled++;
461 }
462 spin_unlock(&ses->iface_lock);
463
464 spin_lock(&ses->chan_lock);
465 chan_index = cifs_ses_get_chan_index(ses, server);
466 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
467 spin_unlock(&ses->chan_lock);
468 return;
469 }
470
471 ses->chans[chan_index].iface = iface;
472 spin_unlock(&ses->chan_lock);
473
474 spin_lock(&server->srv_lock);
475 memcpy(&server->dstaddr, &iface->sockaddr, sizeof(server->dstaddr));
476 spin_unlock(&server->srv_lock);
477 }
478
479 static int
cifs_ses_add_channel(struct cifs_ses * ses,struct cifs_server_iface * iface)480 cifs_ses_add_channel(struct cifs_ses *ses,
481 struct cifs_server_iface *iface)
482 {
483 struct TCP_Server_Info *chan_server;
484 struct cifs_chan *chan;
485 struct smb3_fs_context *ctx;
486 static const char unc_fmt[] = "\\%s\\foo";
487 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
488 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
489 size_t len;
490 int rc;
491 unsigned int xid = get_xid();
492
493 if (iface->sockaddr.ss_family == AF_INET)
494 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
495 ses, iface->speed, str_yes_no(iface->rdma_capable),
496 &ipv4->sin_addr);
497 else
498 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
499 ses, iface->speed, str_yes_no(iface->rdma_capable),
500 &ipv6->sin6_addr);
501
502 /*
503 * Setup a ctx with mostly the same info as the existing
504 * session and overwrite it with the requested iface data.
505 *
506 * We need to setup at least the fields used for negprot and
507 * sesssetup.
508 *
509 * We only need the ctx here, so we can reuse memory from
510 * the session and server without caring about memory
511 * management.
512 */
513 ctx = kzalloc_obj(*ctx);
514 if (!ctx) {
515 rc = -ENOMEM;
516 goto out_free_xid;
517 }
518
519 /* Always make new connection for now (TODO?) */
520 ctx->nosharesock = true;
521
522 /* Auth */
523 ctx->domainauto = ses->domainAuto;
524 ctx->domainname = ses->domainName;
525
526 ctx->server_hostname = ses->server->hostname;
527
528 ctx->username = ses->user_name;
529 ctx->password = ses->password;
530 ctx->sectype = ses->sectype;
531 ctx->sign = ses->sign;
532 ctx->unicode = ses->unicode;
533
534 /* UNC and paths */
535 /* XXX: Use ses->server->hostname? */
536 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL;
537 ctx->UNC = kzalloc(len, GFP_KERNEL);
538 if (!ctx->UNC) {
539 rc = -ENOMEM;
540 goto out_free_ctx;
541 }
542 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr);
543 ctx->prepath = "";
544
545 /* Reuse same version as master connection */
546 ctx->vals = ses->server->vals;
547 ctx->ops = ses->server->ops;
548
549 ctx->noblocksnd = ses->server->noblocksnd;
550 ctx->noautotune = ses->server->noautotune;
551 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
552 ctx->echo_interval = ses->server->echo_interval / HZ;
553 ctx->max_credits = ses->server->max_credits;
554 ctx->min_offload = ses->server->min_offload;
555 ctx->compress = ses->server->compression.requested;
556 ctx->dfs_conn = ses->server->dfs_conn;
557 ctx->ignore_signature = ses->server->ignore_signature;
558 ctx->leaf_fullpath = ses->server->leaf_fullpath;
559 ctx->rootfs = ses->server->noblockcnt;
560 ctx->retrans = ses->server->retrans;
561
562 /*
563 * This will be used for encoding/decoding user/domain/pw
564 * during sess setup auth.
565 */
566 ctx->local_nls = ses->local_nls;
567
568 /* Use RDMA if possible */
569 ctx->rdma = iface->rdma_capable;
570 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr));
571
572 /* reuse master con client guid */
573 memcpy(&ctx->client_guid, ses->server->client_guid,
574 sizeof(ctx->client_guid));
575 ctx->use_client_guid = true;
576
577 chan_server = cifs_get_tcp_session(ctx, ses->server);
578
579 spin_lock(&ses->chan_lock);
580 chan = &ses->chans[ses->chan_count];
581 chan->server = chan_server;
582 if (IS_ERR(chan->server)) {
583 rc = PTR_ERR(chan->server);
584 chan->server = NULL;
585 spin_unlock(&ses->chan_lock);
586 goto out;
587 }
588 chan->iface = iface;
589 ses->chan_count++;
590 atomic_set(&ses->chan_seq, 0);
591
592 /* Mark this channel as needing connect/setup */
593 cifs_chan_set_need_reconnect(ses, chan->server);
594
595 spin_unlock(&ses->chan_lock);
596
597 mutex_lock(&ses->session_mutex);
598 /*
599 * We need to allocate the server crypto now as we will need
600 * to sign packets before we generate the channel signing key
601 * (we sign with the session key)
602 */
603 rc = smb3_crypto_shash_allocate(chan->server);
604 if (rc) {
605 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
606 mutex_unlock(&ses->session_mutex);
607 goto out;
608 }
609
610 rc = cifs_negotiate_protocol(xid, ses, chan->server);
611 if (!rc)
612 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls);
613
614 mutex_unlock(&ses->session_mutex);
615
616 out:
617 if (rc && chan->server) {
618 cifs_put_tcp_session(chan->server, 0);
619
620 spin_lock(&ses->chan_lock);
621
622 /* we rely on all bits beyond chan_count to be clear */
623 cifs_chan_clear_need_reconnect(ses, chan->server);
624 ses->chan_count--;
625 /*
626 * chan_count should never reach 0 as at least the primary
627 * channel is always allocated
628 */
629 WARN_ON(ses->chan_count < 1);
630 spin_unlock(&ses->chan_lock);
631 }
632
633 kfree(ctx->UNC);
634 out_free_ctx:
635 kfree(ctx);
636 out_free_xid:
637 free_xid(xid);
638 return rc;
639 }
640
641
decode_ntlmssp_challenge(char * bcc_ptr,int blob_len,struct cifs_ses * ses)642 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
643 struct cifs_ses *ses)
644 {
645 unsigned int tioffset; /* challenge message target info area */
646 unsigned int tilen; /* challenge message target info area length */
647 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
648 __u32 server_flags;
649
650 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
651 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
652 return -EINVAL;
653 }
654
655 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
656 cifs_dbg(VFS, "blob signature incorrect %s\n",
657 pblob->Signature);
658 return -EINVAL;
659 }
660 if (pblob->MessageType != NtLmChallenge) {
661 cifs_dbg(VFS, "Incorrect message type %d\n",
662 pblob->MessageType);
663 return -EINVAL;
664 }
665
666 server_flags = le32_to_cpu(pblob->NegotiateFlags);
667 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__,
668 ses->ntlmssp->client_flags, server_flags);
669
670 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) &&
671 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) {
672 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n",
673 __func__);
674 return -EINVAL;
675 }
676 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) {
677 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__);
678 return -EINVAL;
679 }
680 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) {
681 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n",
682 __func__);
683 return -EOPNOTSUPP;
684 }
685 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
686 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH))
687 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n",
688 __func__);
689
690 ses->ntlmssp->server_flags = server_flags;
691
692 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
693 /*
694 * In particular we can examine sign flags
695 *
696 * BB spec says that if AvId field of MsvAvTimestamp is populated then
697 * we must set the MIC field of the AUTHENTICATE_MESSAGE
698 */
699
700 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
701 tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
702 if (tioffset > blob_len || tioffset + tilen > blob_len) {
703 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
704 tioffset, tilen);
705 return -EINVAL;
706 }
707 if (tilen) {
708 kfree_sensitive(ses->auth_key.response);
709 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
710 GFP_KERNEL);
711 if (!ses->auth_key.response) {
712 cifs_dbg(VFS, "Challenge target info alloc failure\n");
713 return -ENOMEM;
714 }
715 ses->auth_key.len = tilen;
716 }
717
718 return 0;
719 }
720
size_of_ntlmssp_blob(struct cifs_ses * ses,int base_size)721 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size)
722 {
723 int sz = base_size + ses->auth_key.len
724 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
725
726 if (ses->domainName)
727 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
728 else
729 sz += sizeof(__le16);
730
731 if (ses->user_name)
732 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
733 else
734 sz += sizeof(__le16);
735
736 if (ses->workstation_name[0])
737 sz += sizeof(__le16) * strnlen(ses->workstation_name,
738 ntlmssp_workstation_name_size(ses));
739 else
740 sz += sizeof(__le16);
741
742 return sz;
743 }
744
cifs_security_buffer_from_str(SECURITY_BUFFER * pbuf,char * str_value,int str_length,unsigned char * pstart,unsigned char ** pcur,const struct nls_table * nls_cp)745 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf,
746 char *str_value,
747 int str_length,
748 unsigned char *pstart,
749 unsigned char **pcur,
750 const struct nls_table *nls_cp)
751 {
752 unsigned char *tmp = pstart;
753 int len;
754
755 if (!pbuf)
756 return;
757
758 if (!pcur)
759 pcur = &tmp;
760
761 if (!str_value) {
762 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
763 pbuf->Length = 0;
764 pbuf->MaximumLength = 0;
765 *pcur += sizeof(__le16);
766 } else {
767 len = cifs_strtoUTF16((__le16 *)*pcur,
768 str_value,
769 str_length,
770 nls_cp);
771 len *= sizeof(__le16);
772 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
773 pbuf->Length = cpu_to_le16(len);
774 pbuf->MaximumLength = cpu_to_le16(len);
775 *pcur += len;
776 }
777 }
778
779 /* BB Move to ntlmssp.c eventually */
780
build_ntlmssp_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)781 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer,
782 u16 *buflen,
783 struct cifs_ses *ses,
784 struct TCP_Server_Info *server,
785 const struct nls_table *nls_cp)
786 {
787 int rc = 0;
788 NEGOTIATE_MESSAGE *sec_blob;
789 __u32 flags;
790 unsigned char *tmp;
791 int len;
792
793 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE));
794 *pbuffer = kmalloc(len, GFP_KERNEL);
795 if (!*pbuffer) {
796 rc = -ENOMEM;
797 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
798 *buflen = 0;
799 goto setup_ntlm_neg_ret;
800 }
801 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer;
802
803 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
804 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
805 sec_blob->MessageType = NtLmNegotiate;
806
807 /* BB is NTLMV2 session security format easier to use here? */
808 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
809 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
810 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
811 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
812 NTLMSSP_NEGOTIATE_SIGN;
813 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
814 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
815
816 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE);
817 ses->ntlmssp->client_flags = flags;
818 sec_blob->NegotiateFlags = cpu_to_le32(flags);
819
820 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
821 cifs_security_buffer_from_str(&sec_blob->DomainName,
822 NULL,
823 CIFS_MAX_DOMAINNAME_LEN,
824 *pbuffer, &tmp,
825 nls_cp);
826
827 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
828 NULL,
829 CIFS_MAX_WORKSTATION_LEN,
830 *pbuffer, &tmp,
831 nls_cp);
832
833 *buflen = tmp - *pbuffer;
834 setup_ntlm_neg_ret:
835 return rc;
836 }
837
838 /*
839 * Build ntlmssp blob with additional fields, such as version,
840 * supported by modern servers. For safety limit to SMB3 or later
841 * See notes in MS-NLMP Section 2.2.2.1 e.g.
842 */
build_ntlmssp_smb3_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)843 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
844 u16 *buflen,
845 struct cifs_ses *ses,
846 struct TCP_Server_Info *server,
847 const struct nls_table *nls_cp)
848 {
849 int rc = 0;
850 struct negotiate_message *sec_blob;
851 __u32 flags;
852 unsigned char *tmp;
853 int len;
854
855 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message));
856 *pbuffer = kmalloc(len, GFP_KERNEL);
857 if (!*pbuffer) {
858 rc = -ENOMEM;
859 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
860 *buflen = 0;
861 goto setup_ntlm_smb3_neg_ret;
862 }
863 sec_blob = (struct negotiate_message *)*pbuffer;
864
865 memset(*pbuffer, 0, sizeof(struct negotiate_message));
866 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
867 sec_blob->MessageType = NtLmNegotiate;
868
869 /* BB is NTLMV2 session security format easier to use here? */
870 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
871 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
872 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
873 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
874 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION;
875 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
876 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
877
878 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
879 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
880 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
881 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
882
883 tmp = *pbuffer + sizeof(struct negotiate_message);
884 ses->ntlmssp->client_flags = flags;
885 sec_blob->NegotiateFlags = cpu_to_le32(flags);
886
887 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
888 cifs_security_buffer_from_str(&sec_blob->DomainName,
889 NULL,
890 CIFS_MAX_DOMAINNAME_LEN,
891 *pbuffer, &tmp,
892 nls_cp);
893
894 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
895 NULL,
896 CIFS_MAX_WORKSTATION_LEN,
897 *pbuffer, &tmp,
898 nls_cp);
899
900 *buflen = tmp - *pbuffer;
901 setup_ntlm_smb3_neg_ret:
902 return rc;
903 }
904
905
906 /* See MS-NLMP 2.2.1.3 */
build_ntlmssp_auth_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)907 int build_ntlmssp_auth_blob(unsigned char **pbuffer,
908 u16 *buflen,
909 struct cifs_ses *ses,
910 struct TCP_Server_Info *server,
911 const struct nls_table *nls_cp)
912 {
913 int rc;
914 AUTHENTICATE_MESSAGE *sec_blob;
915 __u32 flags;
916 unsigned char *tmp;
917 int len;
918
919 rc = setup_ntlmv2_rsp(ses, nls_cp);
920 if (rc) {
921 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
922 *buflen = 0;
923 goto setup_ntlmv2_ret;
924 }
925
926 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE));
927 *pbuffer = kmalloc(len, GFP_KERNEL);
928 if (!*pbuffer) {
929 rc = -ENOMEM;
930 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
931 *buflen = 0;
932 goto setup_ntlmv2_ret;
933 }
934 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
935
936 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
937 sec_blob->MessageType = NtLmAuthenticate;
938
939 /* send version information in ntlmssp authenticate also */
940 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET |
941 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION |
942 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
943
944 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
945 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
946 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
947 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
948
949 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
950 sec_blob->NegotiateFlags = cpu_to_le32(flags);
951
952 sec_blob->LmChallengeResponse.BufferOffset =
953 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
954 sec_blob->LmChallengeResponse.Length = 0;
955 sec_blob->LmChallengeResponse.MaximumLength = 0;
956
957 sec_blob->NtChallengeResponse.BufferOffset =
958 cpu_to_le32(tmp - *pbuffer);
959 if (ses->user_name != NULL) {
960 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
961 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
962 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
963
964 sec_blob->NtChallengeResponse.Length =
965 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
966 sec_blob->NtChallengeResponse.MaximumLength =
967 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
968 } else {
969 /*
970 * don't send an NT Response for anonymous access
971 */
972 sec_blob->NtChallengeResponse.Length = 0;
973 sec_blob->NtChallengeResponse.MaximumLength = 0;
974 }
975
976 cifs_security_buffer_from_str(&sec_blob->DomainName,
977 ses->domainName,
978 CIFS_MAX_DOMAINNAME_LEN,
979 *pbuffer, &tmp,
980 nls_cp);
981
982 cifs_security_buffer_from_str(&sec_blob->UserName,
983 ses->user_name,
984 CIFS_MAX_USERNAME_LEN,
985 *pbuffer, &tmp,
986 nls_cp);
987
988 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
989 ses->workstation_name,
990 ntlmssp_workstation_name_size(ses),
991 *pbuffer, &tmp,
992 nls_cp);
993
994 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
995 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) &&
996 !calc_seckey(ses)) {
997 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
998 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
999 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
1000 sec_blob->SessionKey.MaximumLength =
1001 cpu_to_le16(CIFS_CPHTXT_SIZE);
1002 tmp += CIFS_CPHTXT_SIZE;
1003 } else {
1004 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1005 sec_blob->SessionKey.Length = 0;
1006 sec_blob->SessionKey.MaximumLength = 0;
1007 }
1008
1009 *buflen = tmp - *pbuffer;
1010 setup_ntlmv2_ret:
1011 return rc;
1012 }
1013
1014 enum securityEnum
cifs_select_sectype(struct TCP_Server_Info * server,enum securityEnum requested)1015 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
1016 {
1017 switch (server->negflavor) {
1018 case CIFS_NEGFLAVOR_EXTENDED:
1019 switch (requested) {
1020 case Kerberos:
1021 case RawNTLMSSP:
1022 case IAKerb:
1023 return requested;
1024 case Unspecified:
1025 if (server->sec_ntlmssp &&
1026 (global_secflags & CIFSSEC_MAY_NTLMSSP))
1027 return RawNTLMSSP;
1028 if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) &&
1029 (global_secflags & CIFSSEC_MAY_KRB5))
1030 return Kerberos;
1031 fallthrough;
1032 default:
1033 return Unspecified;
1034 }
1035 case CIFS_NEGFLAVOR_UNENCAP:
1036 switch (requested) {
1037 case NTLMv2:
1038 return requested;
1039 case Unspecified:
1040 if (global_secflags & CIFSSEC_MAY_NTLMV2)
1041 return NTLMv2;
1042 break;
1043 default:
1044 break;
1045 }
1046 fallthrough;
1047 default:
1048 return Unspecified;
1049 }
1050 }
1051