1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 31 { 32 int i; 33 34 spin_lock(&ses->chan_lock); 35 for (i = 0; i < ses->chan_count; i++) { 36 if (ses->chans[i].iface == iface) { 37 spin_unlock(&ses->chan_lock); 38 return true; 39 } 40 } 41 spin_unlock(&ses->chan_lock); 42 return false; 43 } 44 45 /* channel helper functions. assumed that chan_lock is held by caller. */ 46 47 int 48 cifs_ses_get_chan_index(struct cifs_ses *ses, 49 struct TCP_Server_Info *server) 50 { 51 unsigned int i; 52 53 /* if the channel is waiting for termination */ 54 if (server && server->terminate) 55 return CIFS_INVAL_CHAN_INDEX; 56 57 for (i = 0; i < ses->chan_count; i++) { 58 if (ses->chans[i].server == server) 59 return i; 60 } 61 62 /* If we didn't find the channel, it is likely a bug */ 63 if (server) 64 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 65 server->conn_id); 66 return CIFS_INVAL_CHAN_INDEX; 67 } 68 69 void 70 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 71 struct TCP_Server_Info *server) 72 { 73 int chan_index = cifs_ses_get_chan_index(ses, server); 74 75 if (chan_index == CIFS_INVAL_CHAN_INDEX) 76 return; 77 78 ses->chans[chan_index].in_reconnect = true; 79 } 80 81 void 82 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 83 struct TCP_Server_Info *server) 84 { 85 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 86 87 if (chan_index == CIFS_INVAL_CHAN_INDEX) 88 return; 89 90 ses->chans[chan_index].in_reconnect = false; 91 } 92 93 void 94 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 95 struct TCP_Server_Info *server) 96 { 97 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 98 99 if (chan_index == CIFS_INVAL_CHAN_INDEX) 100 return; 101 102 set_bit(chan_index, &ses->chans_need_reconnect); 103 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 104 chan_index, ses->chans_need_reconnect); 105 } 106 107 void 108 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 109 struct TCP_Server_Info *server) 110 { 111 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 112 113 if (chan_index == CIFS_INVAL_CHAN_INDEX) 114 return; 115 116 clear_bit(chan_index, &ses->chans_need_reconnect); 117 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 118 chan_index, ses->chans_need_reconnect); 119 } 120 121 bool 122 cifs_chan_needs_reconnect(struct cifs_ses *ses, 123 struct TCP_Server_Info *server) 124 { 125 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 126 127 if (chan_index == CIFS_INVAL_CHAN_INDEX) 128 return true; /* err on the safer side */ 129 130 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 131 } 132 133 bool 134 cifs_chan_is_iface_active(struct cifs_ses *ses, 135 struct TCP_Server_Info *server) 136 { 137 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 138 139 if (chan_index == CIFS_INVAL_CHAN_INDEX) 140 return true; /* err on the safer side */ 141 142 return ses->chans[chan_index].iface && 143 ses->chans[chan_index].iface->is_active; 144 } 145 146 /* returns number of channels added */ 147 int cifs_try_adding_channels(struct cifs_ses *ses) 148 { 149 struct TCP_Server_Info *server = ses->server; 150 int old_chan_count, new_chan_count; 151 int left; 152 int rc = 0; 153 int tries = 0; 154 size_t iface_weight = 0, iface_min_speed = 0; 155 struct cifs_server_iface *iface = NULL, *niface = NULL; 156 struct cifs_server_iface *last_iface = NULL; 157 158 spin_lock(&ses->chan_lock); 159 160 new_chan_count = old_chan_count = ses->chan_count; 161 left = ses->chan_max - ses->chan_count; 162 163 if (left <= 0) { 164 spin_unlock(&ses->chan_lock); 165 cifs_dbg(FYI, 166 "ses already at max_channels (%zu), nothing to open\n", 167 ses->chan_max); 168 return 0; 169 } 170 171 if (server->dialect < SMB30_PROT_ID) { 172 spin_unlock(&ses->chan_lock); 173 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 174 return 0; 175 } 176 177 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 178 spin_unlock(&ses->chan_lock); 179 cifs_server_dbg(VFS, "no multichannel support\n"); 180 return 0; 181 } 182 spin_unlock(&ses->chan_lock); 183 184 while (left > 0) { 185 186 tries++; 187 if (tries > 3*ses->chan_max) { 188 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 189 left); 190 break; 191 } 192 193 spin_lock(&ses->iface_lock); 194 if (!ses->iface_count) { 195 spin_unlock(&ses->iface_lock); 196 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", 197 ses->server->hostname); 198 break; 199 } 200 201 if (!iface) 202 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 203 iface_head); 204 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 205 iface_head); 206 iface_min_speed = last_iface->speed; 207 208 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 209 iface_head) { 210 /* do not mix rdma and non-rdma interfaces */ 211 if (iface->rdma_capable != ses->server->rdma) 212 continue; 213 214 /* skip ifaces that are unusable */ 215 if (!iface->is_active || 216 (is_ses_using_iface(ses, iface) && 217 !iface->rss_capable)) 218 continue; 219 220 /* check if we already allocated enough channels */ 221 iface_weight = iface->speed / iface_min_speed; 222 223 if (iface->weight_fulfilled >= iface_weight) 224 continue; 225 226 /* take ref before unlock */ 227 kref_get(&iface->refcount); 228 229 spin_unlock(&ses->iface_lock); 230 rc = cifs_ses_add_channel(ses, iface); 231 spin_lock(&ses->iface_lock); 232 233 if (rc) { 234 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 235 &iface->sockaddr, 236 rc); 237 kref_put(&iface->refcount, release_iface); 238 /* failure to add chan should increase weight */ 239 iface->weight_fulfilled++; 240 continue; 241 } 242 243 iface->num_channels++; 244 iface->weight_fulfilled++; 245 cifs_info("successfully opened new channel on iface:%pIS\n", 246 &iface->sockaddr); 247 break; 248 } 249 250 /* reached end of list. reset weight_fulfilled and start over */ 251 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 252 list_for_each_entry(iface, &ses->iface_list, iface_head) 253 iface->weight_fulfilled = 0; 254 spin_unlock(&ses->iface_lock); 255 iface = NULL; 256 continue; 257 } 258 spin_unlock(&ses->iface_lock); 259 260 left--; 261 new_chan_count++; 262 } 263 264 return new_chan_count - old_chan_count; 265 } 266 267 /* 268 * cifs_decrease_secondary_channels - Reduce the number of active secondary channels 269 * @ses: pointer to the CIFS session structure 270 * @disable_mchan: if true, reduce to a single channel; if false, reduce to chan_max 271 * 272 * This function disables and cleans up extra secondary channels for a CIFS session. 273 * If called during reconfiguration, it reduces the channel count to the new maximum (chan_max). 274 * Otherwise, it disables all but the primary channel. 275 */ 276 void 277 cifs_decrease_secondary_channels(struct cifs_ses *ses, bool disable_mchan) 278 { 279 int i, chan_count; 280 struct TCP_Server_Info *server; 281 struct cifs_server_iface *iface; 282 283 spin_lock(&ses->chan_lock); 284 chan_count = ses->chan_count; 285 if (chan_count == 1) 286 goto done; 287 288 /* Update the chan_count to the new maximum */ 289 if (disable_mchan) { 290 cifs_dbg(FYI, "server does not support multichannel anymore.\n"); 291 ses->chan_count = 1; 292 } else { 293 ses->chan_count = ses->chan_max; 294 } 295 296 /* Disable all secondary channels beyond the new chan_count */ 297 for (i = ses->chan_count ; i < chan_count; i++) { 298 iface = ses->chans[i].iface; 299 server = ses->chans[i].server; 300 301 /* 302 * remove these references first, since we need to unlock 303 * the chan_lock here, since iface_lock is a higher lock 304 */ 305 ses->chans[i].iface = NULL; 306 ses->chans[i].server = NULL; 307 spin_unlock(&ses->chan_lock); 308 309 if (iface) { 310 spin_lock(&ses->iface_lock); 311 iface->num_channels--; 312 if (iface->weight_fulfilled) 313 iface->weight_fulfilled--; 314 kref_put(&iface->refcount, release_iface); 315 spin_unlock(&ses->iface_lock); 316 } 317 318 if (server) { 319 if (!server->terminate) { 320 server->terminate = true; 321 cifs_signal_cifsd_for_reconnect(server, false); 322 } 323 cifs_put_tcp_session(server, false); 324 } 325 326 spin_lock(&ses->chan_lock); 327 } 328 329 /* For extra secondary channels, reset the need reconnect bit */ 330 if (ses->chan_count == 1) { 331 cifs_dbg(VFS, "Disable all secondary channels\n"); 332 ses->chans_need_reconnect &= 1; 333 } else { 334 cifs_dbg(VFS, "Disable extra secondary channels\n"); 335 ses->chans_need_reconnect &= ((1UL << ses->chan_max) - 1); 336 } 337 338 done: 339 spin_unlock(&ses->chan_lock); 340 } 341 342 /* update the iface for the channel if necessary. */ 343 void 344 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 345 { 346 unsigned int chan_index; 347 size_t iface_weight = 0, iface_min_speed = 0; 348 struct cifs_server_iface *iface = NULL; 349 struct cifs_server_iface *old_iface = NULL; 350 struct cifs_server_iface *last_iface = NULL; 351 struct sockaddr_storage ss; 352 int retry = 0; 353 354 spin_lock(&ses->chan_lock); 355 chan_index = cifs_ses_get_chan_index(ses, server); 356 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 357 spin_unlock(&ses->chan_lock); 358 return; 359 } 360 361 if (ses->chans[chan_index].iface) { 362 old_iface = ses->chans[chan_index].iface; 363 if (old_iface->is_active) { 364 spin_unlock(&ses->chan_lock); 365 return; 366 } 367 } 368 spin_unlock(&ses->chan_lock); 369 370 spin_lock(&server->srv_lock); 371 ss = server->dstaddr; 372 spin_unlock(&server->srv_lock); 373 374 spin_lock(&ses->iface_lock); 375 if (!ses->iface_count) { 376 spin_unlock(&ses->iface_lock); 377 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname); 378 return; 379 } 380 381 try_again: 382 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 383 iface_head); 384 iface_min_speed = last_iface->speed; 385 386 /* then look for a new one */ 387 list_for_each_entry(iface, &ses->iface_list, iface_head) { 388 if (!chan_index) { 389 /* if we're trying to get the updated iface for primary channel */ 390 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 391 (struct sockaddr *) &iface->sockaddr)) 392 continue; 393 394 kref_get(&iface->refcount); 395 break; 396 } 397 398 /* do not mix rdma and non-rdma interfaces */ 399 if (iface->rdma_capable != server->rdma) 400 continue; 401 402 if (!iface->is_active || 403 (is_ses_using_iface(ses, iface) && 404 !iface->rss_capable)) { 405 continue; 406 } 407 408 /* check if we already allocated enough channels */ 409 iface_weight = iface->speed / iface_min_speed; 410 411 if (iface->weight_fulfilled >= iface_weight) 412 continue; 413 414 kref_get(&iface->refcount); 415 break; 416 } 417 418 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 419 list_for_each_entry(iface, &ses->iface_list, iface_head) 420 iface->weight_fulfilled = 0; 421 422 /* see if it can be satisfied in second attempt */ 423 if (!retry++) 424 goto try_again; 425 426 iface = NULL; 427 cifs_dbg(FYI, "unable to find a suitable iface\n"); 428 } 429 430 if (!iface) { 431 if (!chan_index) 432 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 433 &ss); 434 else { 435 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n", 436 &old_iface->sockaddr); 437 } 438 439 spin_unlock(&ses->iface_lock); 440 return; 441 } 442 443 /* now drop the ref to the current iface */ 444 if (old_iface) { 445 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 446 &old_iface->sockaddr, 447 &iface->sockaddr); 448 449 old_iface->num_channels--; 450 if (old_iface->weight_fulfilled) 451 old_iface->weight_fulfilled--; 452 iface->num_channels++; 453 iface->weight_fulfilled++; 454 455 kref_put(&old_iface->refcount, release_iface); 456 } else if (!chan_index) { 457 /* special case: update interface for primary channel */ 458 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 459 &iface->sockaddr); 460 iface->num_channels++; 461 iface->weight_fulfilled++; 462 } 463 spin_unlock(&ses->iface_lock); 464 465 spin_lock(&ses->chan_lock); 466 chan_index = cifs_ses_get_chan_index(ses, server); 467 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 468 spin_unlock(&ses->chan_lock); 469 return; 470 } 471 472 ses->chans[chan_index].iface = iface; 473 spin_unlock(&ses->chan_lock); 474 475 spin_lock(&server->srv_lock); 476 memcpy(&server->dstaddr, &iface->sockaddr, sizeof(server->dstaddr)); 477 spin_unlock(&server->srv_lock); 478 } 479 480 static int 481 cifs_ses_add_channel(struct cifs_ses *ses, 482 struct cifs_server_iface *iface) 483 { 484 struct TCP_Server_Info *chan_server; 485 struct cifs_chan *chan; 486 struct smb3_fs_context *ctx; 487 static const char unc_fmt[] = "\\%s\\foo"; 488 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 489 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 490 size_t len; 491 int rc; 492 unsigned int xid = get_xid(); 493 494 if (iface->sockaddr.ss_family == AF_INET) 495 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 496 ses, iface->speed, str_yes_no(iface->rdma_capable), 497 &ipv4->sin_addr); 498 else 499 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 500 ses, iface->speed, str_yes_no(iface->rdma_capable), 501 &ipv6->sin6_addr); 502 503 /* 504 * Setup a ctx with mostly the same info as the existing 505 * session and overwrite it with the requested iface data. 506 * 507 * We need to setup at least the fields used for negprot and 508 * sesssetup. 509 * 510 * We only need the ctx here, so we can reuse memory from 511 * the session and server without caring about memory 512 * management. 513 */ 514 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 515 if (!ctx) { 516 rc = -ENOMEM; 517 goto out_free_xid; 518 } 519 520 /* Always make new connection for now (TODO?) */ 521 ctx->nosharesock = true; 522 523 /* Auth */ 524 ctx->domainauto = ses->domainAuto; 525 ctx->domainname = ses->domainName; 526 527 ctx->server_hostname = ses->server->hostname; 528 529 ctx->username = ses->user_name; 530 ctx->password = ses->password; 531 ctx->sectype = ses->sectype; 532 ctx->sign = ses->sign; 533 ctx->unicode = ses->unicode; 534 535 /* UNC and paths */ 536 /* XXX: Use ses->server->hostname? */ 537 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 538 ctx->UNC = kzalloc(len, GFP_KERNEL); 539 if (!ctx->UNC) { 540 rc = -ENOMEM; 541 goto out_free_ctx; 542 } 543 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 544 ctx->prepath = ""; 545 546 /* Reuse same version as master connection */ 547 ctx->vals = ses->server->vals; 548 ctx->ops = ses->server->ops; 549 550 ctx->noblocksnd = ses->server->noblocksnd; 551 ctx->noautotune = ses->server->noautotune; 552 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 553 ctx->echo_interval = ses->server->echo_interval / HZ; 554 ctx->max_credits = ses->server->max_credits; 555 ctx->min_offload = ses->server->min_offload; 556 ctx->compress = ses->server->compression.requested; 557 ctx->dfs_conn = ses->server->dfs_conn; 558 ctx->ignore_signature = ses->server->ignore_signature; 559 ctx->leaf_fullpath = ses->server->leaf_fullpath; 560 ctx->rootfs = ses->server->noblockcnt; 561 ctx->retrans = ses->server->retrans; 562 563 /* 564 * This will be used for encoding/decoding user/domain/pw 565 * during sess setup auth. 566 */ 567 ctx->local_nls = ses->local_nls; 568 569 /* Use RDMA if possible */ 570 ctx->rdma = iface->rdma_capable; 571 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 572 573 /* reuse master con client guid */ 574 memcpy(&ctx->client_guid, ses->server->client_guid, 575 sizeof(ctx->client_guid)); 576 ctx->use_client_guid = true; 577 578 chan_server = cifs_get_tcp_session(ctx, ses->server); 579 580 spin_lock(&ses->chan_lock); 581 chan = &ses->chans[ses->chan_count]; 582 chan->server = chan_server; 583 if (IS_ERR(chan->server)) { 584 rc = PTR_ERR(chan->server); 585 chan->server = NULL; 586 spin_unlock(&ses->chan_lock); 587 goto out; 588 } 589 chan->iface = iface; 590 ses->chan_count++; 591 atomic_set(&ses->chan_seq, 0); 592 593 /* Mark this channel as needing connect/setup */ 594 cifs_chan_set_need_reconnect(ses, chan->server); 595 596 spin_unlock(&ses->chan_lock); 597 598 mutex_lock(&ses->session_mutex); 599 /* 600 * We need to allocate the server crypto now as we will need 601 * to sign packets before we generate the channel signing key 602 * (we sign with the session key) 603 */ 604 rc = smb3_crypto_shash_allocate(chan->server); 605 if (rc) { 606 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 607 mutex_unlock(&ses->session_mutex); 608 goto out; 609 } 610 611 rc = cifs_negotiate_protocol(xid, ses, chan->server); 612 if (!rc) 613 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 614 615 mutex_unlock(&ses->session_mutex); 616 617 out: 618 if (rc && chan->server) { 619 cifs_put_tcp_session(chan->server, 0); 620 621 spin_lock(&ses->chan_lock); 622 623 /* we rely on all bits beyond chan_count to be clear */ 624 cifs_chan_clear_need_reconnect(ses, chan->server); 625 ses->chan_count--; 626 /* 627 * chan_count should never reach 0 as at least the primary 628 * channel is always allocated 629 */ 630 WARN_ON(ses->chan_count < 1); 631 spin_unlock(&ses->chan_lock); 632 } 633 634 kfree(ctx->UNC); 635 out_free_ctx: 636 kfree(ctx); 637 out_free_xid: 638 free_xid(xid); 639 return rc; 640 } 641 642 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 643 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 644 struct TCP_Server_Info *server, 645 SESSION_SETUP_ANDX *pSMB) 646 { 647 __u32 capabilities = 0; 648 649 /* init fields common to all four types of SessSetup */ 650 /* Note that offsets for first seven fields in req struct are same */ 651 /* in CIFS Specs so does not matter which of 3 forms of struct */ 652 /* that we use in next few lines */ 653 /* Note that header is initialized to zero in header_assemble */ 654 pSMB->req.AndXCommand = 0xFF; 655 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 656 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 657 USHRT_MAX)); 658 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 659 pSMB->req.VcNumber = cpu_to_le16(1); 660 pSMB->req.SessionKey = server->session_key_id; 661 662 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 663 664 /* BB verify whether signing required on neg or just auth frame (and NTLM case) */ 665 666 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 667 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 668 669 if (server->sign) 670 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 671 672 if (ses->capabilities & CAP_UNICODE) { 673 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 674 capabilities |= CAP_UNICODE; 675 } 676 if (ses->capabilities & CAP_STATUS32) { 677 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 678 capabilities |= CAP_STATUS32; 679 } 680 if (ses->capabilities & CAP_DFS) { 681 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 682 capabilities |= CAP_DFS; 683 } 684 if (ses->capabilities & CAP_UNIX) 685 capabilities |= CAP_UNIX; 686 687 return capabilities; 688 } 689 690 static void 691 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 692 { 693 char *bcc_ptr = *pbcc_area; 694 int bytes_ret = 0; 695 696 /* Copy OS version */ 697 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 698 nls_cp); 699 bcc_ptr += 2 * bytes_ret; 700 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 701 32, nls_cp); 702 bcc_ptr += 2 * bytes_ret; 703 bcc_ptr += 2; /* trailing null */ 704 705 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 706 32, nls_cp); 707 bcc_ptr += 2 * bytes_ret; 708 bcc_ptr += 2; /* trailing null */ 709 710 *pbcc_area = bcc_ptr; 711 } 712 713 static void 714 ascii_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 715 { 716 char *bcc_ptr = *pbcc_area; 717 718 strcpy(bcc_ptr, "Linux version "); 719 bcc_ptr += strlen("Linux version "); 720 strcpy(bcc_ptr, init_utsname()->release); 721 bcc_ptr += strlen(init_utsname()->release) + 1; 722 723 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 724 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 725 726 *pbcc_area = bcc_ptr; 727 } 728 729 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 730 const struct nls_table *nls_cp) 731 { 732 char *bcc_ptr = *pbcc_area; 733 int bytes_ret = 0; 734 735 /* copy domain */ 736 if (ses->domainName == NULL) { 737 /* 738 * Sending null domain better than using a bogus domain name (as 739 * we did briefly in 2.6.18) since server will use its default 740 */ 741 *bcc_ptr = 0; 742 *(bcc_ptr+1) = 0; 743 bytes_ret = 0; 744 } else 745 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 746 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 747 bcc_ptr += 2 * bytes_ret; 748 bcc_ptr += 2; /* account for null terminator */ 749 750 *pbcc_area = bcc_ptr; 751 } 752 753 static void ascii_domain_string(char **pbcc_area, struct cifs_ses *ses, 754 const struct nls_table *nls_cp) 755 { 756 char *bcc_ptr = *pbcc_area; 757 int len; 758 759 /* copy domain */ 760 if (ses->domainName != NULL) { 761 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 762 if (WARN_ON_ONCE(len < 0)) 763 len = CIFS_MAX_DOMAINNAME_LEN - 1; 764 bcc_ptr += len; 765 } /* else we send a null domain name so server will default to its own domain */ 766 *bcc_ptr = 0; 767 bcc_ptr++; 768 769 *pbcc_area = bcc_ptr; 770 } 771 772 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 773 const struct nls_table *nls_cp) 774 { 775 char *bcc_ptr = *pbcc_area; 776 int bytes_ret = 0; 777 778 /* BB FIXME add check that strings less than 335 or will need to send as arrays */ 779 780 /* copy user */ 781 if (ses->user_name == NULL) { 782 /* null user mount */ 783 *bcc_ptr = 0; 784 *(bcc_ptr+1) = 0; 785 } else { 786 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 787 CIFS_MAX_USERNAME_LEN, nls_cp); 788 } 789 bcc_ptr += 2 * bytes_ret; 790 bcc_ptr += 2; /* account for null termination */ 791 792 unicode_domain_string(&bcc_ptr, ses, nls_cp); 793 unicode_oslm_strings(&bcc_ptr, nls_cp); 794 795 *pbcc_area = bcc_ptr; 796 } 797 798 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 799 const struct nls_table *nls_cp) 800 { 801 char *bcc_ptr = *pbcc_area; 802 int len; 803 804 /* copy user */ 805 /* BB what about null user mounts - check that we do this BB */ 806 /* copy user */ 807 if (ses->user_name != NULL) { 808 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 809 if (WARN_ON_ONCE(len < 0)) 810 len = CIFS_MAX_USERNAME_LEN - 1; 811 bcc_ptr += len; 812 } 813 /* else null user mount */ 814 *bcc_ptr = 0; 815 bcc_ptr++; /* account for null termination */ 816 817 /* BB check for overflow here */ 818 819 ascii_domain_string(&bcc_ptr, ses, nls_cp); 820 ascii_oslm_strings(&bcc_ptr, nls_cp); 821 822 *pbcc_area = bcc_ptr; 823 } 824 825 static void 826 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 827 const struct nls_table *nls_cp) 828 { 829 int len; 830 char *data = *pbcc_area; 831 832 cifs_dbg(FYI, "bleft %d\n", bleft); 833 834 kfree(ses->serverOS); 835 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 836 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 837 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 838 data += len; 839 bleft -= len; 840 if (bleft <= 0) 841 return; 842 843 kfree(ses->serverNOS); 844 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 845 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 846 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 847 data += len; 848 bleft -= len; 849 if (bleft <= 0) 850 return; 851 852 kfree(ses->serverDomain); 853 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 854 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 855 856 return; 857 } 858 859 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 860 struct cifs_ses *ses, 861 const struct nls_table *nls_cp) 862 { 863 int len; 864 char *bcc_ptr = *pbcc_area; 865 866 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 867 868 len = strnlen(bcc_ptr, bleft); 869 if (len >= bleft) 870 return; 871 872 kfree(ses->serverOS); 873 874 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 875 if (ses->serverOS) { 876 memcpy(ses->serverOS, bcc_ptr, len); 877 ses->serverOS[len] = 0; 878 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 879 cifs_dbg(FYI, "OS/2 server\n"); 880 } 881 882 bcc_ptr += len + 1; 883 bleft -= len + 1; 884 885 len = strnlen(bcc_ptr, bleft); 886 if (len >= bleft) 887 return; 888 889 kfree(ses->serverNOS); 890 891 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 892 if (ses->serverNOS) { 893 memcpy(ses->serverNOS, bcc_ptr, len); 894 ses->serverNOS[len] = 0; 895 } 896 897 bcc_ptr += len + 1; 898 bleft -= len + 1; 899 900 len = strnlen(bcc_ptr, bleft); 901 if (len > bleft) 902 return; 903 904 /* 905 * No domain field in LANMAN case. Domain is 906 * returned by old servers in the SMB negprot response 907 * 908 * BB For newer servers which do not support Unicode, 909 * but thus do return domain here, we could add parsing 910 * for it later, but it is not very important 911 */ 912 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 913 } 914 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 915 916 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 917 struct cifs_ses *ses) 918 { 919 unsigned int tioffset; /* challenge message target info area */ 920 unsigned int tilen; /* challenge message target info area length */ 921 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 922 __u32 server_flags; 923 924 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 925 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 926 return -EINVAL; 927 } 928 929 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 930 cifs_dbg(VFS, "blob signature incorrect %s\n", 931 pblob->Signature); 932 return -EINVAL; 933 } 934 if (pblob->MessageType != NtLmChallenge) { 935 cifs_dbg(VFS, "Incorrect message type %d\n", 936 pblob->MessageType); 937 return -EINVAL; 938 } 939 940 server_flags = le32_to_cpu(pblob->NegotiateFlags); 941 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 942 ses->ntlmssp->client_flags, server_flags); 943 944 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 945 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 946 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 947 __func__); 948 return -EINVAL; 949 } 950 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 951 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 952 return -EINVAL; 953 } 954 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 955 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 956 __func__); 957 return -EOPNOTSUPP; 958 } 959 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 960 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 961 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 962 __func__); 963 964 ses->ntlmssp->server_flags = server_flags; 965 966 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 967 /* 968 * In particular we can examine sign flags 969 * 970 * BB spec says that if AvId field of MsvAvTimestamp is populated then 971 * we must set the MIC field of the AUTHENTICATE_MESSAGE 972 */ 973 974 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 975 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 976 if (tioffset > blob_len || tioffset + tilen > blob_len) { 977 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 978 tioffset, tilen); 979 return -EINVAL; 980 } 981 if (tilen) { 982 kfree_sensitive(ses->auth_key.response); 983 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 984 GFP_KERNEL); 985 if (!ses->auth_key.response) { 986 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 987 return -ENOMEM; 988 } 989 ses->auth_key.len = tilen; 990 } 991 992 return 0; 993 } 994 995 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 996 { 997 int sz = base_size + ses->auth_key.len 998 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 999 1000 if (ses->domainName) 1001 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 1002 else 1003 sz += sizeof(__le16); 1004 1005 if (ses->user_name) 1006 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 1007 else 1008 sz += sizeof(__le16); 1009 1010 if (ses->workstation_name[0]) 1011 sz += sizeof(__le16) * strnlen(ses->workstation_name, 1012 ntlmssp_workstation_name_size(ses)); 1013 else 1014 sz += sizeof(__le16); 1015 1016 return sz; 1017 } 1018 1019 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 1020 char *str_value, 1021 int str_length, 1022 unsigned char *pstart, 1023 unsigned char **pcur, 1024 const struct nls_table *nls_cp) 1025 { 1026 unsigned char *tmp = pstart; 1027 int len; 1028 1029 if (!pbuf) 1030 return; 1031 1032 if (!pcur) 1033 pcur = &tmp; 1034 1035 if (!str_value) { 1036 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1037 pbuf->Length = 0; 1038 pbuf->MaximumLength = 0; 1039 *pcur += sizeof(__le16); 1040 } else { 1041 len = cifs_strtoUTF16((__le16 *)*pcur, 1042 str_value, 1043 str_length, 1044 nls_cp); 1045 len *= sizeof(__le16); 1046 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1047 pbuf->Length = cpu_to_le16(len); 1048 pbuf->MaximumLength = cpu_to_le16(len); 1049 *pcur += len; 1050 } 1051 } 1052 1053 /* BB Move to ntlmssp.c eventually */ 1054 1055 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 1056 u16 *buflen, 1057 struct cifs_ses *ses, 1058 struct TCP_Server_Info *server, 1059 const struct nls_table *nls_cp) 1060 { 1061 int rc = 0; 1062 NEGOTIATE_MESSAGE *sec_blob; 1063 __u32 flags; 1064 unsigned char *tmp; 1065 int len; 1066 1067 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 1068 *pbuffer = kmalloc(len, GFP_KERNEL); 1069 if (!*pbuffer) { 1070 rc = -ENOMEM; 1071 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1072 *buflen = 0; 1073 goto setup_ntlm_neg_ret; 1074 } 1075 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 1076 1077 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 1078 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1079 sec_blob->MessageType = NtLmNegotiate; 1080 1081 /* BB is NTLMV2 session security format easier to use here? */ 1082 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1083 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1084 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1085 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1086 NTLMSSP_NEGOTIATE_SIGN; 1087 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1088 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1089 1090 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 1091 ses->ntlmssp->client_flags = flags; 1092 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1093 1094 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1095 cifs_security_buffer_from_str(&sec_blob->DomainName, 1096 NULL, 1097 CIFS_MAX_DOMAINNAME_LEN, 1098 *pbuffer, &tmp, 1099 nls_cp); 1100 1101 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1102 NULL, 1103 CIFS_MAX_WORKSTATION_LEN, 1104 *pbuffer, &tmp, 1105 nls_cp); 1106 1107 *buflen = tmp - *pbuffer; 1108 setup_ntlm_neg_ret: 1109 return rc; 1110 } 1111 1112 /* 1113 * Build ntlmssp blob with additional fields, such as version, 1114 * supported by modern servers. For safety limit to SMB3 or later 1115 * See notes in MS-NLMP Section 2.2.2.1 e.g. 1116 */ 1117 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 1118 u16 *buflen, 1119 struct cifs_ses *ses, 1120 struct TCP_Server_Info *server, 1121 const struct nls_table *nls_cp) 1122 { 1123 int rc = 0; 1124 struct negotiate_message *sec_blob; 1125 __u32 flags; 1126 unsigned char *tmp; 1127 int len; 1128 1129 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 1130 *pbuffer = kmalloc(len, GFP_KERNEL); 1131 if (!*pbuffer) { 1132 rc = -ENOMEM; 1133 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1134 *buflen = 0; 1135 goto setup_ntlm_smb3_neg_ret; 1136 } 1137 sec_blob = (struct negotiate_message *)*pbuffer; 1138 1139 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 1140 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1141 sec_blob->MessageType = NtLmNegotiate; 1142 1143 /* BB is NTLMV2 session security format easier to use here? */ 1144 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1145 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1146 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1147 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1148 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 1149 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1150 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1151 1152 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1153 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1154 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1155 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1156 1157 tmp = *pbuffer + sizeof(struct negotiate_message); 1158 ses->ntlmssp->client_flags = flags; 1159 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1160 1161 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1162 cifs_security_buffer_from_str(&sec_blob->DomainName, 1163 NULL, 1164 CIFS_MAX_DOMAINNAME_LEN, 1165 *pbuffer, &tmp, 1166 nls_cp); 1167 1168 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1169 NULL, 1170 CIFS_MAX_WORKSTATION_LEN, 1171 *pbuffer, &tmp, 1172 nls_cp); 1173 1174 *buflen = tmp - *pbuffer; 1175 setup_ntlm_smb3_neg_ret: 1176 return rc; 1177 } 1178 1179 1180 /* See MS-NLMP 2.2.1.3 */ 1181 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1182 u16 *buflen, 1183 struct cifs_ses *ses, 1184 struct TCP_Server_Info *server, 1185 const struct nls_table *nls_cp) 1186 { 1187 int rc; 1188 AUTHENTICATE_MESSAGE *sec_blob; 1189 __u32 flags; 1190 unsigned char *tmp; 1191 int len; 1192 1193 rc = setup_ntlmv2_rsp(ses, nls_cp); 1194 if (rc) { 1195 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1196 *buflen = 0; 1197 goto setup_ntlmv2_ret; 1198 } 1199 1200 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1201 *pbuffer = kmalloc(len, GFP_KERNEL); 1202 if (!*pbuffer) { 1203 rc = -ENOMEM; 1204 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1205 *buflen = 0; 1206 goto setup_ntlmv2_ret; 1207 } 1208 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1209 1210 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1211 sec_blob->MessageType = NtLmAuthenticate; 1212 1213 /* send version information in ntlmssp authenticate also */ 1214 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1215 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION | 1216 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1217 1218 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1219 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1220 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1221 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1222 1223 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1224 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1225 1226 sec_blob->LmChallengeResponse.BufferOffset = 1227 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1228 sec_blob->LmChallengeResponse.Length = 0; 1229 sec_blob->LmChallengeResponse.MaximumLength = 0; 1230 1231 sec_blob->NtChallengeResponse.BufferOffset = 1232 cpu_to_le32(tmp - *pbuffer); 1233 if (ses->user_name != NULL) { 1234 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1235 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1236 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1237 1238 sec_blob->NtChallengeResponse.Length = 1239 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1240 sec_blob->NtChallengeResponse.MaximumLength = 1241 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1242 } else { 1243 /* 1244 * don't send an NT Response for anonymous access 1245 */ 1246 sec_blob->NtChallengeResponse.Length = 0; 1247 sec_blob->NtChallengeResponse.MaximumLength = 0; 1248 } 1249 1250 cifs_security_buffer_from_str(&sec_blob->DomainName, 1251 ses->domainName, 1252 CIFS_MAX_DOMAINNAME_LEN, 1253 *pbuffer, &tmp, 1254 nls_cp); 1255 1256 cifs_security_buffer_from_str(&sec_blob->UserName, 1257 ses->user_name, 1258 CIFS_MAX_USERNAME_LEN, 1259 *pbuffer, &tmp, 1260 nls_cp); 1261 1262 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1263 ses->workstation_name, 1264 ntlmssp_workstation_name_size(ses), 1265 *pbuffer, &tmp, 1266 nls_cp); 1267 1268 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1269 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1270 !calc_seckey(ses)) { 1271 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1272 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1273 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1274 sec_blob->SessionKey.MaximumLength = 1275 cpu_to_le16(CIFS_CPHTXT_SIZE); 1276 tmp += CIFS_CPHTXT_SIZE; 1277 } else { 1278 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1279 sec_blob->SessionKey.Length = 0; 1280 sec_blob->SessionKey.MaximumLength = 0; 1281 } 1282 1283 *buflen = tmp - *pbuffer; 1284 setup_ntlmv2_ret: 1285 return rc; 1286 } 1287 1288 enum securityEnum 1289 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1290 { 1291 switch (server->negflavor) { 1292 case CIFS_NEGFLAVOR_EXTENDED: 1293 switch (requested) { 1294 case Kerberos: 1295 case RawNTLMSSP: 1296 case IAKerb: 1297 return requested; 1298 case Unspecified: 1299 if (server->sec_ntlmssp && 1300 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1301 return RawNTLMSSP; 1302 if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) && 1303 (global_secflags & CIFSSEC_MAY_KRB5)) 1304 return Kerberos; 1305 fallthrough; 1306 default: 1307 return Unspecified; 1308 } 1309 case CIFS_NEGFLAVOR_UNENCAP: 1310 switch (requested) { 1311 case NTLMv2: 1312 return requested; 1313 case Unspecified: 1314 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1315 return NTLMv2; 1316 break; 1317 default: 1318 break; 1319 } 1320 fallthrough; 1321 default: 1322 return Unspecified; 1323 } 1324 } 1325 1326 struct sess_data { 1327 unsigned int xid; 1328 struct cifs_ses *ses; 1329 struct TCP_Server_Info *server; 1330 struct nls_table *nls_cp; 1331 void (*func)(struct sess_data *); 1332 int result; 1333 unsigned int in_len; 1334 1335 /* we will send the SMB in three pieces: 1336 * a fixed length beginning part, an optional 1337 * SPNEGO blob (which can be zero length), and a 1338 * last part which will include the strings 1339 * and rest of bcc area. This allows us to avoid 1340 * a large buffer 17K allocation 1341 */ 1342 int buf0_type; 1343 struct kvec iov[3]; 1344 }; 1345 1346 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1347 static int 1348 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1349 { 1350 int rc; 1351 struct cifs_ses *ses = sess_data->ses; 1352 struct smb_hdr *smb_buf; 1353 1354 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1355 (void **)&smb_buf); 1356 1357 if (rc < 0) 1358 return rc; 1359 1360 sess_data->in_len = rc; 1361 sess_data->iov[0].iov_base = (char *)smb_buf; 1362 sess_data->iov[0].iov_len = sess_data->in_len; 1363 /* 1364 * This variable will be used to clear the buffer 1365 * allocated above in case of any error in the calling function. 1366 */ 1367 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1368 1369 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1370 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1371 if (!sess_data->iov[2].iov_base) { 1372 rc = -ENOMEM; 1373 goto out_free_smb_buf; 1374 } 1375 1376 return 0; 1377 1378 out_free_smb_buf: 1379 cifs_small_buf_release(smb_buf); 1380 sess_data->iov[0].iov_base = NULL; 1381 sess_data->iov[0].iov_len = 0; 1382 sess_data->buf0_type = CIFS_NO_BUFFER; 1383 return rc; 1384 } 1385 1386 static void 1387 sess_free_buffer(struct sess_data *sess_data) 1388 { 1389 struct kvec *iov = sess_data->iov; 1390 1391 /* 1392 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1393 * Note that iov[1] is already freed by caller. 1394 */ 1395 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1396 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1397 1398 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1399 sess_data->buf0_type = CIFS_NO_BUFFER; 1400 kfree_sensitive(iov[2].iov_base); 1401 } 1402 1403 static int 1404 sess_establish_session(struct sess_data *sess_data) 1405 { 1406 struct cifs_ses *ses = sess_data->ses; 1407 struct TCP_Server_Info *server = sess_data->server; 1408 1409 cifs_server_lock(server); 1410 if (!server->session_estab) { 1411 if (server->sign) { 1412 server->session_key.response = 1413 kmemdup(ses->auth_key.response, 1414 ses->auth_key.len, GFP_KERNEL); 1415 if (!server->session_key.response) { 1416 cifs_server_unlock(server); 1417 return -ENOMEM; 1418 } 1419 server->session_key.len = 1420 ses->auth_key.len; 1421 } 1422 server->sequence_number = 0x2; 1423 server->session_estab = true; 1424 } 1425 cifs_server_unlock(server); 1426 1427 cifs_dbg(FYI, "CIFS session established successfully\n"); 1428 return 0; 1429 } 1430 1431 static int 1432 sess_sendreceive(struct sess_data *sess_data) 1433 { 1434 int rc; 1435 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1436 __u16 count; 1437 struct kvec rsp_iov = { NULL, 0 }; 1438 1439 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1440 sess_data->in_len += count; 1441 put_bcc(count, smb_buf); 1442 1443 rc = SendReceive2(sess_data->xid, sess_data->ses, 1444 sess_data->iov, 3 /* num_iovecs */, 1445 &sess_data->buf0_type, 1446 CIFS_LOG_ERROR, &rsp_iov); 1447 cifs_small_buf_release(sess_data->iov[0].iov_base); 1448 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1449 1450 return rc; 1451 } 1452 1453 static void 1454 sess_auth_ntlmv2(struct sess_data *sess_data) 1455 { 1456 int rc = 0; 1457 struct smb_hdr *smb_buf; 1458 SESSION_SETUP_ANDX *pSMB; 1459 char *bcc_ptr; 1460 struct cifs_ses *ses = sess_data->ses; 1461 struct TCP_Server_Info *server = sess_data->server; 1462 __u32 capabilities; 1463 __u16 bytes_remaining; 1464 1465 /* old style NTLM sessionsetup */ 1466 /* wct = 13 */ 1467 rc = sess_alloc_buffer(sess_data, 13); 1468 if (rc) 1469 goto out; 1470 1471 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1472 bcc_ptr = sess_data->iov[2].iov_base; 1473 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1474 1475 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1476 1477 /* LM2 password would be here if we supported it */ 1478 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1479 1480 if (ses->user_name != NULL) { 1481 /* calculate nlmv2 response and session key */ 1482 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1483 if (rc) { 1484 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1485 goto out; 1486 } 1487 1488 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1489 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1490 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1491 1492 /* set case sensitive password length after tilen may get 1493 * assigned, tilen is 0 otherwise. 1494 */ 1495 pSMB->req_no_secext.CaseSensitivePasswordLength = 1496 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1497 } else { 1498 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1499 } 1500 1501 if (ses->capabilities & CAP_UNICODE) { 1502 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1503 *bcc_ptr = 0; 1504 bcc_ptr++; 1505 } 1506 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1507 } else { 1508 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1509 } 1510 1511 1512 sess_data->iov[2].iov_len = (long) bcc_ptr - 1513 (long) sess_data->iov[2].iov_base; 1514 1515 rc = sess_sendreceive(sess_data); 1516 if (rc) 1517 goto out; 1518 1519 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1520 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1521 1522 if (smb_buf->WordCount != 3) { 1523 rc = smb_EIO1(smb_eio_trace_sess_nl2_wcc, smb_buf->WordCount); 1524 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1525 goto out; 1526 } 1527 1528 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1529 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1530 1531 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1532 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1533 1534 bytes_remaining = get_bcc(smb_buf); 1535 bcc_ptr = pByteArea(smb_buf); 1536 1537 /* BB check if Unicode and decode strings */ 1538 if (bytes_remaining == 0) { 1539 /* no string area to decode, do nothing */ 1540 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1541 /* unicode string area must be word-aligned */ 1542 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1543 ++bcc_ptr; 1544 --bytes_remaining; 1545 } 1546 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1547 sess_data->nls_cp); 1548 } else { 1549 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1550 sess_data->nls_cp); 1551 } 1552 1553 rc = sess_establish_session(sess_data); 1554 out: 1555 sess_data->result = rc; 1556 sess_data->func = NULL; 1557 sess_free_buffer(sess_data); 1558 kfree_sensitive(ses->auth_key.response); 1559 ses->auth_key.response = NULL; 1560 } 1561 1562 #ifdef CONFIG_CIFS_UPCALL 1563 static void 1564 sess_auth_kerberos(struct sess_data *sess_data) 1565 { 1566 int rc = 0; 1567 struct smb_hdr *smb_buf; 1568 SESSION_SETUP_ANDX *pSMB; 1569 char *bcc_ptr; 1570 struct cifs_ses *ses = sess_data->ses; 1571 struct TCP_Server_Info *server = sess_data->server; 1572 __u32 capabilities; 1573 __u16 bytes_remaining; 1574 struct key *spnego_key = NULL; 1575 struct cifs_spnego_msg *msg; 1576 u16 blob_len; 1577 1578 /* extended security */ 1579 /* wct = 12 */ 1580 rc = sess_alloc_buffer(sess_data, 12); 1581 if (rc) 1582 goto out; 1583 1584 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1585 bcc_ptr = sess_data->iov[2].iov_base; 1586 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1587 1588 spnego_key = cifs_get_spnego_key(ses, server); 1589 if (IS_ERR(spnego_key)) { 1590 rc = PTR_ERR(spnego_key); 1591 spnego_key = NULL; 1592 goto out; 1593 } 1594 1595 msg = spnego_key->payload.data[0]; 1596 /* 1597 * check version field to make sure that cifs.upcall is 1598 * sending us a response in an expected form 1599 */ 1600 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1601 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1602 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1603 rc = -EKEYREJECTED; 1604 goto out_put_spnego_key; 1605 } 1606 1607 kfree_sensitive(ses->auth_key.response); 1608 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1609 GFP_KERNEL); 1610 if (!ses->auth_key.response) { 1611 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1612 msg->sesskey_len); 1613 rc = -ENOMEM; 1614 goto out_put_spnego_key; 1615 } 1616 ses->auth_key.len = msg->sesskey_len; 1617 1618 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1619 capabilities |= CAP_EXTENDED_SECURITY; 1620 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1621 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1622 sess_data->iov[1].iov_len = msg->secblob_len; 1623 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1624 1625 if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) { 1626 /* unicode strings must be word aligned */ 1627 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1628 *bcc_ptr = 0; 1629 bcc_ptr++; 1630 } 1631 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1632 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1633 } else { 1634 ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1635 ascii_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1636 } 1637 1638 sess_data->iov[2].iov_len = (long) bcc_ptr - 1639 (long) sess_data->iov[2].iov_base; 1640 1641 rc = sess_sendreceive(sess_data); 1642 if (rc) 1643 goto out_put_spnego_key; 1644 1645 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1646 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1647 1648 if (smb_buf->WordCount != 4) { 1649 rc = smb_EIO1(smb_eio_trace_sess_krb_wcc, smb_buf->WordCount); 1650 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1651 goto out_put_spnego_key; 1652 } 1653 1654 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1655 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1656 1657 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1658 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1659 1660 bytes_remaining = get_bcc(smb_buf); 1661 bcc_ptr = pByteArea(smb_buf); 1662 1663 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1664 if (blob_len > bytes_remaining) { 1665 cifs_dbg(VFS, "bad security blob length %d\n", 1666 blob_len); 1667 rc = -EINVAL; 1668 goto out_put_spnego_key; 1669 } 1670 bcc_ptr += blob_len; 1671 bytes_remaining -= blob_len; 1672 1673 /* BB check if Unicode and decode strings */ 1674 if (bytes_remaining == 0) { 1675 /* no string area to decode, do nothing */ 1676 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1677 /* unicode string area must be word-aligned */ 1678 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1679 ++bcc_ptr; 1680 --bytes_remaining; 1681 } 1682 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1683 sess_data->nls_cp); 1684 } else { 1685 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1686 sess_data->nls_cp); 1687 } 1688 1689 rc = sess_establish_session(sess_data); 1690 out_put_spnego_key: 1691 key_invalidate(spnego_key); 1692 key_put(spnego_key); 1693 out: 1694 sess_data->result = rc; 1695 sess_data->func = NULL; 1696 sess_free_buffer(sess_data); 1697 kfree_sensitive(ses->auth_key.response); 1698 ses->auth_key.response = NULL; 1699 } 1700 1701 #endif /* ! CONFIG_CIFS_UPCALL */ 1702 1703 /* 1704 * The required kvec buffers have to be allocated before calling this 1705 * function. 1706 */ 1707 static int 1708 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1709 { 1710 SESSION_SETUP_ANDX *pSMB; 1711 struct cifs_ses *ses = sess_data->ses; 1712 struct TCP_Server_Info *server = sess_data->server; 1713 __u32 capabilities; 1714 char *bcc_ptr; 1715 1716 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1717 1718 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1719 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1720 capabilities |= CAP_EXTENDED_SECURITY; 1721 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1722 1723 bcc_ptr = sess_data->iov[2].iov_base; 1724 1725 if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) { 1726 /* unicode strings must be word aligned */ 1727 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1728 *bcc_ptr = 0; 1729 bcc_ptr++; 1730 } 1731 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1732 } else { 1733 ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1734 } 1735 1736 sess_data->iov[2].iov_len = (long) bcc_ptr - 1737 (long) sess_data->iov[2].iov_base; 1738 1739 return 0; 1740 } 1741 1742 static void 1743 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1744 1745 static void 1746 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1747 { 1748 int rc; 1749 struct smb_hdr *smb_buf; 1750 SESSION_SETUP_ANDX *pSMB; 1751 struct cifs_ses *ses = sess_data->ses; 1752 struct TCP_Server_Info *server = sess_data->server; 1753 __u16 bytes_remaining; 1754 char *bcc_ptr; 1755 unsigned char *ntlmsspblob = NULL; 1756 u16 blob_len; 1757 1758 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1759 1760 /* 1761 * if memory allocation is successful, caller of this function 1762 * frees it. 1763 */ 1764 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1765 if (!ses->ntlmssp) { 1766 rc = -ENOMEM; 1767 goto out; 1768 } 1769 ses->ntlmssp->sesskey_per_smbsess = false; 1770 1771 /* wct = 12 */ 1772 rc = sess_alloc_buffer(sess_data, 12); 1773 if (rc) 1774 goto out; 1775 1776 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1777 1778 /* Build security blob before we assemble the request */ 1779 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1780 &blob_len, ses, server, 1781 sess_data->nls_cp); 1782 if (rc) 1783 goto out_free_ntlmsspblob; 1784 1785 sess_data->iov[1].iov_len = blob_len; 1786 sess_data->iov[1].iov_base = ntlmsspblob; 1787 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1788 1789 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1790 if (rc) 1791 goto out_free_ntlmsspblob; 1792 1793 rc = sess_sendreceive(sess_data); 1794 1795 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1796 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1797 1798 /* If true, rc here is expected and not an error */ 1799 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1800 smb_buf->Status.CifsError == 1801 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1802 rc = 0; 1803 1804 if (rc) 1805 goto out_free_ntlmsspblob; 1806 1807 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1808 1809 if (smb_buf->WordCount != 4) { 1810 rc = smb_EIO1(smb_eio_trace_sess_rawnl_neg_wcc, smb_buf->WordCount); 1811 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1812 goto out_free_ntlmsspblob; 1813 } 1814 1815 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1816 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1817 1818 bytes_remaining = get_bcc(smb_buf); 1819 bcc_ptr = pByteArea(smb_buf); 1820 1821 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1822 if (blob_len > bytes_remaining) { 1823 cifs_dbg(VFS, "bad security blob length %d\n", 1824 blob_len); 1825 rc = -EINVAL; 1826 goto out_free_ntlmsspblob; 1827 } 1828 1829 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1830 1831 out_free_ntlmsspblob: 1832 kfree_sensitive(ntlmsspblob); 1833 out: 1834 sess_free_buffer(sess_data); 1835 1836 if (!rc) { 1837 sess_data->func = sess_auth_rawntlmssp_authenticate; 1838 return; 1839 } 1840 1841 /* Else error. Cleanup */ 1842 kfree_sensitive(ses->auth_key.response); 1843 ses->auth_key.response = NULL; 1844 kfree_sensitive(ses->ntlmssp); 1845 ses->ntlmssp = NULL; 1846 1847 sess_data->func = NULL; 1848 sess_data->result = rc; 1849 } 1850 1851 static void 1852 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1853 { 1854 int rc; 1855 struct smb_hdr *smb_buf; 1856 SESSION_SETUP_ANDX *pSMB; 1857 struct cifs_ses *ses = sess_data->ses; 1858 struct TCP_Server_Info *server = sess_data->server; 1859 __u16 bytes_remaining; 1860 char *bcc_ptr; 1861 unsigned char *ntlmsspblob = NULL; 1862 u16 blob_len; 1863 1864 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1865 1866 /* wct = 12 */ 1867 rc = sess_alloc_buffer(sess_data, 12); 1868 if (rc) 1869 goto out; 1870 1871 /* Build security blob before we assemble the request */ 1872 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1873 smb_buf = (struct smb_hdr *)pSMB; 1874 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1875 &blob_len, ses, server, 1876 sess_data->nls_cp); 1877 if (rc) 1878 goto out_free_ntlmsspblob; 1879 sess_data->iov[1].iov_len = blob_len; 1880 sess_data->iov[1].iov_base = ntlmsspblob; 1881 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1882 /* 1883 * Make sure that we tell the server that we are using 1884 * the uid that it just gave us back on the response 1885 * (challenge) 1886 */ 1887 smb_buf->Uid = ses->Suid; 1888 1889 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1890 if (rc) 1891 goto out_free_ntlmsspblob; 1892 1893 rc = sess_sendreceive(sess_data); 1894 if (rc) 1895 goto out_free_ntlmsspblob; 1896 1897 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1898 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1899 if (smb_buf->WordCount != 4) { 1900 rc = smb_EIO1(smb_eio_trace_sess_rawnl_auth_wcc, smb_buf->WordCount); 1901 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1902 goto out_free_ntlmsspblob; 1903 } 1904 1905 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1906 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1907 1908 if (ses->Suid != smb_buf->Uid) { 1909 ses->Suid = smb_buf->Uid; 1910 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1911 } 1912 1913 bytes_remaining = get_bcc(smb_buf); 1914 bcc_ptr = pByteArea(smb_buf); 1915 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1916 if (blob_len > bytes_remaining) { 1917 cifs_dbg(VFS, "bad security blob length %d\n", 1918 blob_len); 1919 rc = -EINVAL; 1920 goto out_free_ntlmsspblob; 1921 } 1922 bcc_ptr += blob_len; 1923 bytes_remaining -= blob_len; 1924 1925 1926 /* BB check if Unicode and decode strings */ 1927 if (bytes_remaining == 0) { 1928 /* no string area to decode, do nothing */ 1929 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1930 /* unicode string area must be word-aligned */ 1931 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1932 ++bcc_ptr; 1933 --bytes_remaining; 1934 } 1935 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1936 sess_data->nls_cp); 1937 } else { 1938 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1939 sess_data->nls_cp); 1940 } 1941 1942 out_free_ntlmsspblob: 1943 kfree_sensitive(ntlmsspblob); 1944 out: 1945 sess_free_buffer(sess_data); 1946 1947 if (!rc) 1948 rc = sess_establish_session(sess_data); 1949 1950 /* Cleanup */ 1951 kfree_sensitive(ses->auth_key.response); 1952 ses->auth_key.response = NULL; 1953 kfree_sensitive(ses->ntlmssp); 1954 ses->ntlmssp = NULL; 1955 1956 sess_data->func = NULL; 1957 sess_data->result = rc; 1958 } 1959 1960 static int select_sec(struct sess_data *sess_data) 1961 { 1962 int type; 1963 struct cifs_ses *ses = sess_data->ses; 1964 struct TCP_Server_Info *server = sess_data->server; 1965 1966 type = cifs_select_sectype(server, ses->sectype); 1967 cifs_dbg(FYI, "sess setup type %d\n", type); 1968 if (type == Unspecified) { 1969 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1970 return -EINVAL; 1971 } 1972 1973 switch (type) { 1974 case NTLMv2: 1975 sess_data->func = sess_auth_ntlmv2; 1976 break; 1977 case Kerberos: 1978 #ifdef CONFIG_CIFS_UPCALL 1979 sess_data->func = sess_auth_kerberos; 1980 break; 1981 #else 1982 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1983 return -ENOSYS; 1984 #endif /* CONFIG_CIFS_UPCALL */ 1985 case RawNTLMSSP: 1986 sess_data->func = sess_auth_rawntlmssp_negotiate; 1987 break; 1988 default: 1989 cifs_dbg(VFS, "secType %d not supported!\n", type); 1990 return -ENOSYS; 1991 } 1992 1993 return 0; 1994 } 1995 1996 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1997 struct TCP_Server_Info *server, 1998 const struct nls_table *nls_cp) 1999 { 2000 int rc = 0; 2001 struct sess_data *sess_data; 2002 2003 if (ses == NULL) { 2004 WARN(1, "%s: ses == NULL!", __func__); 2005 return -EINVAL; 2006 } 2007 2008 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 2009 if (!sess_data) 2010 return -ENOMEM; 2011 2012 sess_data->xid = xid; 2013 sess_data->ses = ses; 2014 sess_data->server = server; 2015 sess_data->buf0_type = CIFS_NO_BUFFER; 2016 sess_data->nls_cp = (struct nls_table *) nls_cp; 2017 2018 rc = select_sec(sess_data); 2019 if (rc) 2020 goto out; 2021 2022 while (sess_data->func) 2023 sess_data->func(sess_data); 2024 2025 /* Store result before we free sess_data */ 2026 rc = sess_data->result; 2027 2028 out: 2029 kfree_sensitive(sess_data); 2030 return rc; 2031 } 2032 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 2033