1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool 31 is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33 { 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53 } 54 55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56 { 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68 } 69 70 /* channel helper functions. assumed that chan_lock is held by caller. */ 71 72 int 73 cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75 { 76 unsigned int i; 77 78 /* if the channel is waiting for termination */ 79 if (server && server->terminate) 80 return CIFS_INVAL_CHAN_INDEX; 81 82 for (i = 0; i < ses->chan_count; i++) { 83 if (ses->chans[i].server == server) 84 return i; 85 } 86 87 /* If we didn't find the channel, it is likely a bug */ 88 if (server) 89 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 90 server->conn_id); 91 return CIFS_INVAL_CHAN_INDEX; 92 } 93 94 void 95 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 96 struct TCP_Server_Info *server) 97 { 98 int chan_index = cifs_ses_get_chan_index(ses, server); 99 100 if (chan_index == CIFS_INVAL_CHAN_INDEX) 101 return; 102 103 ses->chans[chan_index].in_reconnect = true; 104 } 105 106 void 107 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 108 struct TCP_Server_Info *server) 109 { 110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 111 112 if (chan_index == CIFS_INVAL_CHAN_INDEX) 113 return; 114 115 ses->chans[chan_index].in_reconnect = false; 116 } 117 118 bool 119 cifs_chan_in_reconnect(struct cifs_ses *ses, 120 struct TCP_Server_Info *server) 121 { 122 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 123 124 if (chan_index == CIFS_INVAL_CHAN_INDEX) 125 return true; /* err on the safer side */ 126 127 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 128 } 129 130 void 131 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 132 struct TCP_Server_Info *server) 133 { 134 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 135 136 if (chan_index == CIFS_INVAL_CHAN_INDEX) 137 return; 138 139 set_bit(chan_index, &ses->chans_need_reconnect); 140 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 141 chan_index, ses->chans_need_reconnect); 142 } 143 144 void 145 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 146 struct TCP_Server_Info *server) 147 { 148 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 149 150 if (chan_index == CIFS_INVAL_CHAN_INDEX) 151 return; 152 153 clear_bit(chan_index, &ses->chans_need_reconnect); 154 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 155 chan_index, ses->chans_need_reconnect); 156 } 157 158 bool 159 cifs_chan_needs_reconnect(struct cifs_ses *ses, 160 struct TCP_Server_Info *server) 161 { 162 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 163 164 if (chan_index == CIFS_INVAL_CHAN_INDEX) 165 return true; /* err on the safer side */ 166 167 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 168 } 169 170 bool 171 cifs_chan_is_iface_active(struct cifs_ses *ses, 172 struct TCP_Server_Info *server) 173 { 174 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 175 176 if (chan_index == CIFS_INVAL_CHAN_INDEX) 177 return true; /* err on the safer side */ 178 179 return ses->chans[chan_index].iface && 180 ses->chans[chan_index].iface->is_active; 181 } 182 183 /* returns number of channels added */ 184 int cifs_try_adding_channels(struct cifs_ses *ses) 185 { 186 struct TCP_Server_Info *server = ses->server; 187 int old_chan_count, new_chan_count; 188 int left; 189 int rc = 0; 190 int tries = 0; 191 size_t iface_weight = 0, iface_min_speed = 0; 192 struct cifs_server_iface *iface = NULL, *niface = NULL; 193 struct cifs_server_iface *last_iface = NULL; 194 195 spin_lock(&ses->chan_lock); 196 197 new_chan_count = old_chan_count = ses->chan_count; 198 left = ses->chan_max - ses->chan_count; 199 200 if (left <= 0) { 201 spin_unlock(&ses->chan_lock); 202 cifs_dbg(FYI, 203 "ses already at max_channels (%zu), nothing to open\n", 204 ses->chan_max); 205 return 0; 206 } 207 208 if (server->dialect < SMB30_PROT_ID) { 209 spin_unlock(&ses->chan_lock); 210 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 211 return 0; 212 } 213 214 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 215 spin_unlock(&ses->chan_lock); 216 cifs_server_dbg(VFS, "no multichannel support\n"); 217 return 0; 218 } 219 spin_unlock(&ses->chan_lock); 220 221 while (left > 0) { 222 223 tries++; 224 if (tries > 3*ses->chan_max) { 225 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 226 left); 227 break; 228 } 229 230 spin_lock(&ses->iface_lock); 231 if (!ses->iface_count) { 232 spin_unlock(&ses->iface_lock); 233 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", 234 ses->server->hostname); 235 break; 236 } 237 238 if (!iface) 239 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 240 iface_head); 241 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 242 iface_head); 243 iface_min_speed = last_iface->speed; 244 245 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 246 iface_head) { 247 /* do not mix rdma and non-rdma interfaces */ 248 if (iface->rdma_capable != ses->server->rdma) 249 continue; 250 251 /* skip ifaces that are unusable */ 252 if (!iface->is_active || 253 (is_ses_using_iface(ses, iface) && 254 !iface->rss_capable)) 255 continue; 256 257 /* check if we already allocated enough channels */ 258 iface_weight = iface->speed / iface_min_speed; 259 260 if (iface->weight_fulfilled >= iface_weight) 261 continue; 262 263 /* take ref before unlock */ 264 kref_get(&iface->refcount); 265 266 spin_unlock(&ses->iface_lock); 267 rc = cifs_ses_add_channel(ses, iface); 268 spin_lock(&ses->iface_lock); 269 270 if (rc) { 271 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 272 &iface->sockaddr, 273 rc); 274 kref_put(&iface->refcount, release_iface); 275 /* failure to add chan should increase weight */ 276 iface->weight_fulfilled++; 277 continue; 278 } 279 280 iface->num_channels++; 281 iface->weight_fulfilled++; 282 cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n", 283 &iface->sockaddr); 284 break; 285 } 286 287 /* reached end of list. reset weight_fulfilled and start over */ 288 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 289 list_for_each_entry(iface, &ses->iface_list, iface_head) 290 iface->weight_fulfilled = 0; 291 spin_unlock(&ses->iface_lock); 292 iface = NULL; 293 continue; 294 } 295 spin_unlock(&ses->iface_lock); 296 297 left--; 298 new_chan_count++; 299 } 300 301 return new_chan_count - old_chan_count; 302 } 303 304 /* 305 * called when multichannel is disabled by the server. 306 * this always gets called from smb2_reconnect 307 * and cannot get called in parallel threads. 308 */ 309 void 310 cifs_disable_secondary_channels(struct cifs_ses *ses) 311 { 312 int i, chan_count; 313 struct TCP_Server_Info *server; 314 struct cifs_server_iface *iface; 315 316 spin_lock(&ses->chan_lock); 317 chan_count = ses->chan_count; 318 if (chan_count == 1) 319 goto done; 320 321 ses->chan_count = 1; 322 323 /* for all secondary channels reset the need reconnect bit */ 324 ses->chans_need_reconnect &= 1; 325 326 for (i = 1; i < chan_count; i++) { 327 iface = ses->chans[i].iface; 328 server = ses->chans[i].server; 329 330 /* 331 * remove these references first, since we need to unlock 332 * the chan_lock here, since iface_lock is a higher lock 333 */ 334 ses->chans[i].iface = NULL; 335 ses->chans[i].server = NULL; 336 spin_unlock(&ses->chan_lock); 337 338 if (iface) { 339 spin_lock(&ses->iface_lock); 340 iface->num_channels--; 341 if (iface->weight_fulfilled) 342 iface->weight_fulfilled--; 343 kref_put(&iface->refcount, release_iface); 344 spin_unlock(&ses->iface_lock); 345 } 346 347 if (server) { 348 if (!server->terminate) { 349 server->terminate = true; 350 cifs_signal_cifsd_for_reconnect(server, false); 351 } 352 cifs_put_tcp_session(server, false); 353 } 354 355 spin_lock(&ses->chan_lock); 356 } 357 358 done: 359 spin_unlock(&ses->chan_lock); 360 } 361 362 /* 363 * update the iface for the channel if necessary. 364 * Must be called with chan_lock held. 365 */ 366 void 367 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 368 { 369 unsigned int chan_index; 370 size_t iface_weight = 0, iface_min_speed = 0; 371 struct cifs_server_iface *iface = NULL; 372 struct cifs_server_iface *old_iface = NULL; 373 struct cifs_server_iface *last_iface = NULL; 374 struct sockaddr_storage ss; 375 376 spin_lock(&ses->chan_lock); 377 chan_index = cifs_ses_get_chan_index(ses, server); 378 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 379 spin_unlock(&ses->chan_lock); 380 return; 381 } 382 383 if (ses->chans[chan_index].iface) { 384 old_iface = ses->chans[chan_index].iface; 385 if (old_iface->is_active) { 386 spin_unlock(&ses->chan_lock); 387 return; 388 } 389 } 390 spin_unlock(&ses->chan_lock); 391 392 spin_lock(&server->srv_lock); 393 ss = server->dstaddr; 394 spin_unlock(&server->srv_lock); 395 396 spin_lock(&ses->iface_lock); 397 if (!ses->iface_count) { 398 spin_unlock(&ses->iface_lock); 399 cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname); 400 return; 401 } 402 403 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 404 iface_head); 405 iface_min_speed = last_iface->speed; 406 407 /* then look for a new one */ 408 list_for_each_entry(iface, &ses->iface_list, iface_head) { 409 if (!chan_index) { 410 /* if we're trying to get the updated iface for primary channel */ 411 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 412 (struct sockaddr *) &iface->sockaddr)) 413 continue; 414 415 kref_get(&iface->refcount); 416 break; 417 } 418 419 /* do not mix rdma and non-rdma interfaces */ 420 if (iface->rdma_capable != server->rdma) 421 continue; 422 423 if (!iface->is_active || 424 (is_ses_using_iface(ses, iface) && 425 !iface->rss_capable)) { 426 continue; 427 } 428 429 /* check if we already allocated enough channels */ 430 iface_weight = iface->speed / iface_min_speed; 431 432 if (iface->weight_fulfilled >= iface_weight) 433 continue; 434 435 kref_get(&iface->refcount); 436 break; 437 } 438 439 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 440 iface = NULL; 441 cifs_dbg(FYI, "unable to find a suitable iface\n"); 442 } 443 444 if (!iface) { 445 if (!chan_index) 446 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 447 &ss); 448 else { 449 cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n", 450 &old_iface->sockaddr); 451 } 452 453 spin_unlock(&ses->iface_lock); 454 return; 455 } 456 457 /* now drop the ref to the current iface */ 458 if (old_iface) { 459 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 460 &old_iface->sockaddr, 461 &iface->sockaddr); 462 463 old_iface->num_channels--; 464 if (old_iface->weight_fulfilled) 465 old_iface->weight_fulfilled--; 466 iface->num_channels++; 467 iface->weight_fulfilled++; 468 469 kref_put(&old_iface->refcount, release_iface); 470 } else if (!chan_index) { 471 /* special case: update interface for primary channel */ 472 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 473 &iface->sockaddr); 474 iface->num_channels++; 475 iface->weight_fulfilled++; 476 } 477 spin_unlock(&ses->iface_lock); 478 479 spin_lock(&ses->chan_lock); 480 chan_index = cifs_ses_get_chan_index(ses, server); 481 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 482 spin_unlock(&ses->chan_lock); 483 return; 484 } 485 486 ses->chans[chan_index].iface = iface; 487 spin_unlock(&ses->chan_lock); 488 } 489 490 /* 491 * If server is a channel of ses, return the corresponding enclosing 492 * cifs_chan otherwise return NULL. 493 */ 494 struct cifs_chan * 495 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 496 { 497 int i; 498 499 spin_lock(&ses->chan_lock); 500 for (i = 0; i < ses->chan_count; i++) { 501 if (ses->chans[i].server == server) { 502 spin_unlock(&ses->chan_lock); 503 return &ses->chans[i]; 504 } 505 } 506 spin_unlock(&ses->chan_lock); 507 return NULL; 508 } 509 510 static int 511 cifs_ses_add_channel(struct cifs_ses *ses, 512 struct cifs_server_iface *iface) 513 { 514 struct TCP_Server_Info *chan_server; 515 struct cifs_chan *chan; 516 struct smb3_fs_context *ctx; 517 static const char unc_fmt[] = "\\%s\\foo"; 518 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 519 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 520 size_t len; 521 int rc; 522 unsigned int xid = get_xid(); 523 524 if (iface->sockaddr.ss_family == AF_INET) 525 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 526 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 527 &ipv4->sin_addr); 528 else 529 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 530 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 531 &ipv6->sin6_addr); 532 533 /* 534 * Setup a ctx with mostly the same info as the existing 535 * session and overwrite it with the requested iface data. 536 * 537 * We need to setup at least the fields used for negprot and 538 * sesssetup. 539 * 540 * We only need the ctx here, so we can reuse memory from 541 * the session and server without caring about memory 542 * management. 543 */ 544 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 545 if (!ctx) { 546 rc = -ENOMEM; 547 goto out_free_xid; 548 } 549 550 /* Always make new connection for now (TODO?) */ 551 ctx->nosharesock = true; 552 553 /* Auth */ 554 ctx->domainauto = ses->domainAuto; 555 ctx->domainname = ses->domainName; 556 557 /* no hostname for extra channels */ 558 ctx->server_hostname = ""; 559 560 ctx->username = ses->user_name; 561 ctx->password = ses->password; 562 ctx->sectype = ses->sectype; 563 ctx->sign = ses->sign; 564 565 /* UNC and paths */ 566 /* XXX: Use ses->server->hostname? */ 567 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 568 ctx->UNC = kzalloc(len, GFP_KERNEL); 569 if (!ctx->UNC) { 570 rc = -ENOMEM; 571 goto out_free_ctx; 572 } 573 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 574 ctx->prepath = ""; 575 576 /* Reuse same version as master connection */ 577 ctx->vals = ses->server->vals; 578 ctx->ops = ses->server->ops; 579 580 ctx->noblocksnd = ses->server->noblocksnd; 581 ctx->noautotune = ses->server->noautotune; 582 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 583 ctx->echo_interval = ses->server->echo_interval / HZ; 584 ctx->max_credits = ses->server->max_credits; 585 586 /* 587 * This will be used for encoding/decoding user/domain/pw 588 * during sess setup auth. 589 */ 590 ctx->local_nls = ses->local_nls; 591 592 /* Use RDMA if possible */ 593 ctx->rdma = iface->rdma_capable; 594 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 595 596 /* reuse master con client guid */ 597 memcpy(&ctx->client_guid, ses->server->client_guid, 598 sizeof(ctx->client_guid)); 599 ctx->use_client_guid = true; 600 601 chan_server = cifs_get_tcp_session(ctx, ses->server); 602 603 spin_lock(&ses->chan_lock); 604 chan = &ses->chans[ses->chan_count]; 605 chan->server = chan_server; 606 if (IS_ERR(chan->server)) { 607 rc = PTR_ERR(chan->server); 608 chan->server = NULL; 609 spin_unlock(&ses->chan_lock); 610 goto out; 611 } 612 chan->iface = iface; 613 ses->chan_count++; 614 atomic_set(&ses->chan_seq, 0); 615 616 /* Mark this channel as needing connect/setup */ 617 cifs_chan_set_need_reconnect(ses, chan->server); 618 619 spin_unlock(&ses->chan_lock); 620 621 mutex_lock(&ses->session_mutex); 622 /* 623 * We need to allocate the server crypto now as we will need 624 * to sign packets before we generate the channel signing key 625 * (we sign with the session key) 626 */ 627 rc = smb311_crypto_shash_allocate(chan->server); 628 if (rc) { 629 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 630 mutex_unlock(&ses->session_mutex); 631 goto out; 632 } 633 634 rc = cifs_negotiate_protocol(xid, ses, chan->server); 635 if (!rc) 636 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 637 638 mutex_unlock(&ses->session_mutex); 639 640 out: 641 if (rc && chan->server) { 642 cifs_put_tcp_session(chan->server, 0); 643 644 spin_lock(&ses->chan_lock); 645 646 /* we rely on all bits beyond chan_count to be clear */ 647 cifs_chan_clear_need_reconnect(ses, chan->server); 648 ses->chan_count--; 649 /* 650 * chan_count should never reach 0 as at least the primary 651 * channel is always allocated 652 */ 653 WARN_ON(ses->chan_count < 1); 654 spin_unlock(&ses->chan_lock); 655 } 656 657 kfree(ctx->UNC); 658 out_free_ctx: 659 kfree(ctx); 660 out_free_xid: 661 free_xid(xid); 662 return rc; 663 } 664 665 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 666 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 667 struct TCP_Server_Info *server, 668 SESSION_SETUP_ANDX *pSMB) 669 { 670 __u32 capabilities = 0; 671 672 /* init fields common to all four types of SessSetup */ 673 /* Note that offsets for first seven fields in req struct are same */ 674 /* in CIFS Specs so does not matter which of 3 forms of struct */ 675 /* that we use in next few lines */ 676 /* Note that header is initialized to zero in header_assemble */ 677 pSMB->req.AndXCommand = 0xFF; 678 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 679 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 680 USHRT_MAX)); 681 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 682 pSMB->req.VcNumber = cpu_to_le16(1); 683 684 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 685 686 /* BB verify whether signing required on neg or just auth frame (and NTLM case) */ 687 688 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 689 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 690 691 if (server->sign) 692 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 693 694 if (ses->capabilities & CAP_UNICODE) { 695 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 696 capabilities |= CAP_UNICODE; 697 } 698 if (ses->capabilities & CAP_STATUS32) { 699 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 700 capabilities |= CAP_STATUS32; 701 } 702 if (ses->capabilities & CAP_DFS) { 703 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 704 capabilities |= CAP_DFS; 705 } 706 if (ses->capabilities & CAP_UNIX) 707 capabilities |= CAP_UNIX; 708 709 return capabilities; 710 } 711 712 static void 713 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 714 { 715 char *bcc_ptr = *pbcc_area; 716 int bytes_ret = 0; 717 718 /* Copy OS version */ 719 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 720 nls_cp); 721 bcc_ptr += 2 * bytes_ret; 722 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 723 32, nls_cp); 724 bcc_ptr += 2 * bytes_ret; 725 bcc_ptr += 2; /* trailing null */ 726 727 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 728 32, nls_cp); 729 bcc_ptr += 2 * bytes_ret; 730 bcc_ptr += 2; /* trailing null */ 731 732 *pbcc_area = bcc_ptr; 733 } 734 735 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 736 const struct nls_table *nls_cp) 737 { 738 char *bcc_ptr = *pbcc_area; 739 int bytes_ret = 0; 740 741 /* copy domain */ 742 if (ses->domainName == NULL) { 743 /* 744 * Sending null domain better than using a bogus domain name (as 745 * we did briefly in 2.6.18) since server will use its default 746 */ 747 *bcc_ptr = 0; 748 *(bcc_ptr+1) = 0; 749 bytes_ret = 0; 750 } else 751 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 752 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 753 bcc_ptr += 2 * bytes_ret; 754 bcc_ptr += 2; /* account for null terminator */ 755 756 *pbcc_area = bcc_ptr; 757 } 758 759 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 760 const struct nls_table *nls_cp) 761 { 762 char *bcc_ptr = *pbcc_area; 763 int bytes_ret = 0; 764 765 /* BB FIXME add check that strings less than 335 or will need to send as arrays */ 766 767 /* copy user */ 768 if (ses->user_name == NULL) { 769 /* null user mount */ 770 *bcc_ptr = 0; 771 *(bcc_ptr+1) = 0; 772 } else { 773 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 774 CIFS_MAX_USERNAME_LEN, nls_cp); 775 } 776 bcc_ptr += 2 * bytes_ret; 777 bcc_ptr += 2; /* account for null termination */ 778 779 unicode_domain_string(&bcc_ptr, ses, nls_cp); 780 unicode_oslm_strings(&bcc_ptr, nls_cp); 781 782 *pbcc_area = bcc_ptr; 783 } 784 785 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 786 const struct nls_table *nls_cp) 787 { 788 char *bcc_ptr = *pbcc_area; 789 int len; 790 791 /* copy user */ 792 /* BB what about null user mounts - check that we do this BB */ 793 /* copy user */ 794 if (ses->user_name != NULL) { 795 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 796 if (WARN_ON_ONCE(len < 0)) 797 len = CIFS_MAX_USERNAME_LEN - 1; 798 bcc_ptr += len; 799 } 800 /* else null user mount */ 801 *bcc_ptr = 0; 802 bcc_ptr++; /* account for null termination */ 803 804 /* copy domain */ 805 if (ses->domainName != NULL) { 806 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 807 if (WARN_ON_ONCE(len < 0)) 808 len = CIFS_MAX_DOMAINNAME_LEN - 1; 809 bcc_ptr += len; 810 } /* else we send a null domain name so server will default to its own domain */ 811 *bcc_ptr = 0; 812 bcc_ptr++; 813 814 /* BB check for overflow here */ 815 816 strcpy(bcc_ptr, "Linux version "); 817 bcc_ptr += strlen("Linux version "); 818 strcpy(bcc_ptr, init_utsname()->release); 819 bcc_ptr += strlen(init_utsname()->release) + 1; 820 821 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 822 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 823 824 *pbcc_area = bcc_ptr; 825 } 826 827 static void 828 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 829 const struct nls_table *nls_cp) 830 { 831 int len; 832 char *data = *pbcc_area; 833 834 cifs_dbg(FYI, "bleft %d\n", bleft); 835 836 kfree(ses->serverOS); 837 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 838 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 839 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 840 data += len; 841 bleft -= len; 842 if (bleft <= 0) 843 return; 844 845 kfree(ses->serverNOS); 846 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 847 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 848 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 849 data += len; 850 bleft -= len; 851 if (bleft <= 0) 852 return; 853 854 kfree(ses->serverDomain); 855 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 856 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 857 858 return; 859 } 860 861 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 862 struct cifs_ses *ses, 863 const struct nls_table *nls_cp) 864 { 865 int len; 866 char *bcc_ptr = *pbcc_area; 867 868 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 869 870 len = strnlen(bcc_ptr, bleft); 871 if (len >= bleft) 872 return; 873 874 kfree(ses->serverOS); 875 876 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 877 if (ses->serverOS) { 878 memcpy(ses->serverOS, bcc_ptr, len); 879 ses->serverOS[len] = 0; 880 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 881 cifs_dbg(FYI, "OS/2 server\n"); 882 } 883 884 bcc_ptr += len + 1; 885 bleft -= len + 1; 886 887 len = strnlen(bcc_ptr, bleft); 888 if (len >= bleft) 889 return; 890 891 kfree(ses->serverNOS); 892 893 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 894 if (ses->serverNOS) { 895 memcpy(ses->serverNOS, bcc_ptr, len); 896 ses->serverNOS[len] = 0; 897 } 898 899 bcc_ptr += len + 1; 900 bleft -= len + 1; 901 902 len = strnlen(bcc_ptr, bleft); 903 if (len > bleft) 904 return; 905 906 /* 907 * No domain field in LANMAN case. Domain is 908 * returned by old servers in the SMB negprot response 909 * 910 * BB For newer servers which do not support Unicode, 911 * but thus do return domain here, we could add parsing 912 * for it later, but it is not very important 913 */ 914 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 915 } 916 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 917 918 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 919 struct cifs_ses *ses) 920 { 921 unsigned int tioffset; /* challenge message target info area */ 922 unsigned int tilen; /* challenge message target info area length */ 923 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 924 __u32 server_flags; 925 926 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 927 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 928 return -EINVAL; 929 } 930 931 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 932 cifs_dbg(VFS, "blob signature incorrect %s\n", 933 pblob->Signature); 934 return -EINVAL; 935 } 936 if (pblob->MessageType != NtLmChallenge) { 937 cifs_dbg(VFS, "Incorrect message type %d\n", 938 pblob->MessageType); 939 return -EINVAL; 940 } 941 942 server_flags = le32_to_cpu(pblob->NegotiateFlags); 943 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 944 ses->ntlmssp->client_flags, server_flags); 945 946 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 947 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 948 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 949 __func__); 950 return -EINVAL; 951 } 952 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 953 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 954 return -EINVAL; 955 } 956 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 957 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 958 __func__); 959 return -EOPNOTSUPP; 960 } 961 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 962 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 963 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 964 __func__); 965 966 ses->ntlmssp->server_flags = server_flags; 967 968 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 969 /* 970 * In particular we can examine sign flags 971 * 972 * BB spec says that if AvId field of MsvAvTimestamp is populated then 973 * we must set the MIC field of the AUTHENTICATE_MESSAGE 974 */ 975 976 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 977 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 978 if (tioffset > blob_len || tioffset + tilen > blob_len) { 979 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 980 tioffset, tilen); 981 return -EINVAL; 982 } 983 if (tilen) { 984 kfree_sensitive(ses->auth_key.response); 985 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 986 GFP_KERNEL); 987 if (!ses->auth_key.response) { 988 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 989 return -ENOMEM; 990 } 991 ses->auth_key.len = tilen; 992 } 993 994 return 0; 995 } 996 997 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 998 { 999 int sz = base_size + ses->auth_key.len 1000 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 1001 1002 if (ses->domainName) 1003 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 1004 else 1005 sz += sizeof(__le16); 1006 1007 if (ses->user_name) 1008 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 1009 else 1010 sz += sizeof(__le16); 1011 1012 if (ses->workstation_name[0]) 1013 sz += sizeof(__le16) * strnlen(ses->workstation_name, 1014 ntlmssp_workstation_name_size(ses)); 1015 else 1016 sz += sizeof(__le16); 1017 1018 return sz; 1019 } 1020 1021 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 1022 char *str_value, 1023 int str_length, 1024 unsigned char *pstart, 1025 unsigned char **pcur, 1026 const struct nls_table *nls_cp) 1027 { 1028 unsigned char *tmp = pstart; 1029 int len; 1030 1031 if (!pbuf) 1032 return; 1033 1034 if (!pcur) 1035 pcur = &tmp; 1036 1037 if (!str_value) { 1038 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1039 pbuf->Length = 0; 1040 pbuf->MaximumLength = 0; 1041 *pcur += sizeof(__le16); 1042 } else { 1043 len = cifs_strtoUTF16((__le16 *)*pcur, 1044 str_value, 1045 str_length, 1046 nls_cp); 1047 len *= sizeof(__le16); 1048 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1049 pbuf->Length = cpu_to_le16(len); 1050 pbuf->MaximumLength = cpu_to_le16(len); 1051 *pcur += len; 1052 } 1053 } 1054 1055 /* BB Move to ntlmssp.c eventually */ 1056 1057 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 1058 u16 *buflen, 1059 struct cifs_ses *ses, 1060 struct TCP_Server_Info *server, 1061 const struct nls_table *nls_cp) 1062 { 1063 int rc = 0; 1064 NEGOTIATE_MESSAGE *sec_blob; 1065 __u32 flags; 1066 unsigned char *tmp; 1067 int len; 1068 1069 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 1070 *pbuffer = kmalloc(len, GFP_KERNEL); 1071 if (!*pbuffer) { 1072 rc = -ENOMEM; 1073 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1074 *buflen = 0; 1075 goto setup_ntlm_neg_ret; 1076 } 1077 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 1078 1079 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 1080 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1081 sec_blob->MessageType = NtLmNegotiate; 1082 1083 /* BB is NTLMV2 session security format easier to use here? */ 1084 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1085 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1086 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1087 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1088 NTLMSSP_NEGOTIATE_SIGN; 1089 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1090 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1091 1092 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 1093 ses->ntlmssp->client_flags = flags; 1094 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1095 1096 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1097 cifs_security_buffer_from_str(&sec_blob->DomainName, 1098 NULL, 1099 CIFS_MAX_DOMAINNAME_LEN, 1100 *pbuffer, &tmp, 1101 nls_cp); 1102 1103 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1104 NULL, 1105 CIFS_MAX_WORKSTATION_LEN, 1106 *pbuffer, &tmp, 1107 nls_cp); 1108 1109 *buflen = tmp - *pbuffer; 1110 setup_ntlm_neg_ret: 1111 return rc; 1112 } 1113 1114 /* 1115 * Build ntlmssp blob with additional fields, such as version, 1116 * supported by modern servers. For safety limit to SMB3 or later 1117 * See notes in MS-NLMP Section 2.2.2.1 e.g. 1118 */ 1119 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 1120 u16 *buflen, 1121 struct cifs_ses *ses, 1122 struct TCP_Server_Info *server, 1123 const struct nls_table *nls_cp) 1124 { 1125 int rc = 0; 1126 struct negotiate_message *sec_blob; 1127 __u32 flags; 1128 unsigned char *tmp; 1129 int len; 1130 1131 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 1132 *pbuffer = kmalloc(len, GFP_KERNEL); 1133 if (!*pbuffer) { 1134 rc = -ENOMEM; 1135 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1136 *buflen = 0; 1137 goto setup_ntlm_smb3_neg_ret; 1138 } 1139 sec_blob = (struct negotiate_message *)*pbuffer; 1140 1141 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 1142 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1143 sec_blob->MessageType = NtLmNegotiate; 1144 1145 /* BB is NTLMV2 session security format easier to use here? */ 1146 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1147 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1148 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1149 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1150 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 1151 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1152 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1153 1154 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1155 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1156 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1157 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1158 1159 tmp = *pbuffer + sizeof(struct negotiate_message); 1160 ses->ntlmssp->client_flags = flags; 1161 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1162 1163 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1164 cifs_security_buffer_from_str(&sec_blob->DomainName, 1165 NULL, 1166 CIFS_MAX_DOMAINNAME_LEN, 1167 *pbuffer, &tmp, 1168 nls_cp); 1169 1170 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1171 NULL, 1172 CIFS_MAX_WORKSTATION_LEN, 1173 *pbuffer, &tmp, 1174 nls_cp); 1175 1176 *buflen = tmp - *pbuffer; 1177 setup_ntlm_smb3_neg_ret: 1178 return rc; 1179 } 1180 1181 1182 /* See MS-NLMP 2.2.1.3 */ 1183 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1184 u16 *buflen, 1185 struct cifs_ses *ses, 1186 struct TCP_Server_Info *server, 1187 const struct nls_table *nls_cp) 1188 { 1189 int rc; 1190 AUTHENTICATE_MESSAGE *sec_blob; 1191 __u32 flags; 1192 unsigned char *tmp; 1193 int len; 1194 1195 rc = setup_ntlmv2_rsp(ses, nls_cp); 1196 if (rc) { 1197 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1198 *buflen = 0; 1199 goto setup_ntlmv2_ret; 1200 } 1201 1202 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1203 *pbuffer = kmalloc(len, GFP_KERNEL); 1204 if (!*pbuffer) { 1205 rc = -ENOMEM; 1206 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1207 *buflen = 0; 1208 goto setup_ntlmv2_ret; 1209 } 1210 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1211 1212 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1213 sec_blob->MessageType = NtLmAuthenticate; 1214 1215 /* send version information in ntlmssp authenticate also */ 1216 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1217 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION | 1218 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1219 1220 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1221 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1222 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1223 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1224 1225 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1226 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1227 1228 sec_blob->LmChallengeResponse.BufferOffset = 1229 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1230 sec_blob->LmChallengeResponse.Length = 0; 1231 sec_blob->LmChallengeResponse.MaximumLength = 0; 1232 1233 sec_blob->NtChallengeResponse.BufferOffset = 1234 cpu_to_le32(tmp - *pbuffer); 1235 if (ses->user_name != NULL) { 1236 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1237 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1238 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1239 1240 sec_blob->NtChallengeResponse.Length = 1241 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1242 sec_blob->NtChallengeResponse.MaximumLength = 1243 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1244 } else { 1245 /* 1246 * don't send an NT Response for anonymous access 1247 */ 1248 sec_blob->NtChallengeResponse.Length = 0; 1249 sec_blob->NtChallengeResponse.MaximumLength = 0; 1250 } 1251 1252 cifs_security_buffer_from_str(&sec_blob->DomainName, 1253 ses->domainName, 1254 CIFS_MAX_DOMAINNAME_LEN, 1255 *pbuffer, &tmp, 1256 nls_cp); 1257 1258 cifs_security_buffer_from_str(&sec_blob->UserName, 1259 ses->user_name, 1260 CIFS_MAX_USERNAME_LEN, 1261 *pbuffer, &tmp, 1262 nls_cp); 1263 1264 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1265 ses->workstation_name, 1266 ntlmssp_workstation_name_size(ses), 1267 *pbuffer, &tmp, 1268 nls_cp); 1269 1270 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1271 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1272 !calc_seckey(ses)) { 1273 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1274 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1275 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1276 sec_blob->SessionKey.MaximumLength = 1277 cpu_to_le16(CIFS_CPHTXT_SIZE); 1278 tmp += CIFS_CPHTXT_SIZE; 1279 } else { 1280 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1281 sec_blob->SessionKey.Length = 0; 1282 sec_blob->SessionKey.MaximumLength = 0; 1283 } 1284 1285 *buflen = tmp - *pbuffer; 1286 setup_ntlmv2_ret: 1287 return rc; 1288 } 1289 1290 enum securityEnum 1291 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1292 { 1293 switch (server->negflavor) { 1294 case CIFS_NEGFLAVOR_EXTENDED: 1295 switch (requested) { 1296 case Kerberos: 1297 case RawNTLMSSP: 1298 return requested; 1299 case Unspecified: 1300 if (server->sec_ntlmssp && 1301 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1302 return RawNTLMSSP; 1303 if ((server->sec_kerberos || server->sec_mskerberos) && 1304 (global_secflags & CIFSSEC_MAY_KRB5)) 1305 return Kerberos; 1306 fallthrough; 1307 default: 1308 return Unspecified; 1309 } 1310 case CIFS_NEGFLAVOR_UNENCAP: 1311 switch (requested) { 1312 case NTLMv2: 1313 return requested; 1314 case Unspecified: 1315 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1316 return NTLMv2; 1317 break; 1318 default: 1319 break; 1320 } 1321 fallthrough; 1322 default: 1323 return Unspecified; 1324 } 1325 } 1326 1327 struct sess_data { 1328 unsigned int xid; 1329 struct cifs_ses *ses; 1330 struct TCP_Server_Info *server; 1331 struct nls_table *nls_cp; 1332 void (*func)(struct sess_data *); 1333 int result; 1334 1335 /* we will send the SMB in three pieces: 1336 * a fixed length beginning part, an optional 1337 * SPNEGO blob (which can be zero length), and a 1338 * last part which will include the strings 1339 * and rest of bcc area. This allows us to avoid 1340 * a large buffer 17K allocation 1341 */ 1342 int buf0_type; 1343 struct kvec iov[3]; 1344 }; 1345 1346 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1347 static int 1348 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1349 { 1350 int rc; 1351 struct cifs_ses *ses = sess_data->ses; 1352 struct smb_hdr *smb_buf; 1353 1354 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1355 (void **)&smb_buf); 1356 1357 if (rc) 1358 return rc; 1359 1360 sess_data->iov[0].iov_base = (char *)smb_buf; 1361 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1362 /* 1363 * This variable will be used to clear the buffer 1364 * allocated above in case of any error in the calling function. 1365 */ 1366 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1367 1368 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1369 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1370 if (!sess_data->iov[2].iov_base) { 1371 rc = -ENOMEM; 1372 goto out_free_smb_buf; 1373 } 1374 1375 return 0; 1376 1377 out_free_smb_buf: 1378 cifs_small_buf_release(smb_buf); 1379 sess_data->iov[0].iov_base = NULL; 1380 sess_data->iov[0].iov_len = 0; 1381 sess_data->buf0_type = CIFS_NO_BUFFER; 1382 return rc; 1383 } 1384 1385 static void 1386 sess_free_buffer(struct sess_data *sess_data) 1387 { 1388 struct kvec *iov = sess_data->iov; 1389 1390 /* 1391 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1392 * Note that iov[1] is already freed by caller. 1393 */ 1394 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1395 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1396 1397 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1398 sess_data->buf0_type = CIFS_NO_BUFFER; 1399 kfree_sensitive(iov[2].iov_base); 1400 } 1401 1402 static int 1403 sess_establish_session(struct sess_data *sess_data) 1404 { 1405 struct cifs_ses *ses = sess_data->ses; 1406 struct TCP_Server_Info *server = sess_data->server; 1407 1408 cifs_server_lock(server); 1409 if (!server->session_estab) { 1410 if (server->sign) { 1411 server->session_key.response = 1412 kmemdup(ses->auth_key.response, 1413 ses->auth_key.len, GFP_KERNEL); 1414 if (!server->session_key.response) { 1415 cifs_server_unlock(server); 1416 return -ENOMEM; 1417 } 1418 server->session_key.len = 1419 ses->auth_key.len; 1420 } 1421 server->sequence_number = 0x2; 1422 server->session_estab = true; 1423 } 1424 cifs_server_unlock(server); 1425 1426 cifs_dbg(FYI, "CIFS session established successfully\n"); 1427 return 0; 1428 } 1429 1430 static int 1431 sess_sendreceive(struct sess_data *sess_data) 1432 { 1433 int rc; 1434 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1435 __u16 count; 1436 struct kvec rsp_iov = { NULL, 0 }; 1437 1438 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1439 be32_add_cpu(&smb_buf->smb_buf_length, count); 1440 put_bcc(count, smb_buf); 1441 1442 rc = SendReceive2(sess_data->xid, sess_data->ses, 1443 sess_data->iov, 3 /* num_iovecs */, 1444 &sess_data->buf0_type, 1445 CIFS_LOG_ERROR, &rsp_iov); 1446 cifs_small_buf_release(sess_data->iov[0].iov_base); 1447 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1448 1449 return rc; 1450 } 1451 1452 static void 1453 sess_auth_ntlmv2(struct sess_data *sess_data) 1454 { 1455 int rc = 0; 1456 struct smb_hdr *smb_buf; 1457 SESSION_SETUP_ANDX *pSMB; 1458 char *bcc_ptr; 1459 struct cifs_ses *ses = sess_data->ses; 1460 struct TCP_Server_Info *server = sess_data->server; 1461 __u32 capabilities; 1462 __u16 bytes_remaining; 1463 1464 /* old style NTLM sessionsetup */ 1465 /* wct = 13 */ 1466 rc = sess_alloc_buffer(sess_data, 13); 1467 if (rc) 1468 goto out; 1469 1470 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1471 bcc_ptr = sess_data->iov[2].iov_base; 1472 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1473 1474 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1475 1476 /* LM2 password would be here if we supported it */ 1477 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1478 1479 if (ses->user_name != NULL) { 1480 /* calculate nlmv2 response and session key */ 1481 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1482 if (rc) { 1483 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1484 goto out; 1485 } 1486 1487 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1488 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1489 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1490 1491 /* set case sensitive password length after tilen may get 1492 * assigned, tilen is 0 otherwise. 1493 */ 1494 pSMB->req_no_secext.CaseSensitivePasswordLength = 1495 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1496 } else { 1497 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1498 } 1499 1500 if (ses->capabilities & CAP_UNICODE) { 1501 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1502 *bcc_ptr = 0; 1503 bcc_ptr++; 1504 } 1505 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1506 } else { 1507 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1508 } 1509 1510 1511 sess_data->iov[2].iov_len = (long) bcc_ptr - 1512 (long) sess_data->iov[2].iov_base; 1513 1514 rc = sess_sendreceive(sess_data); 1515 if (rc) 1516 goto out; 1517 1518 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1519 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1520 1521 if (smb_buf->WordCount != 3) { 1522 rc = -EIO; 1523 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1524 goto out; 1525 } 1526 1527 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1528 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1529 1530 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1531 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1532 1533 bytes_remaining = get_bcc(smb_buf); 1534 bcc_ptr = pByteArea(smb_buf); 1535 1536 /* BB check if Unicode and decode strings */ 1537 if (bytes_remaining == 0) { 1538 /* no string area to decode, do nothing */ 1539 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1540 /* unicode string area must be word-aligned */ 1541 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1542 ++bcc_ptr; 1543 --bytes_remaining; 1544 } 1545 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1546 sess_data->nls_cp); 1547 } else { 1548 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1549 sess_data->nls_cp); 1550 } 1551 1552 rc = sess_establish_session(sess_data); 1553 out: 1554 sess_data->result = rc; 1555 sess_data->func = NULL; 1556 sess_free_buffer(sess_data); 1557 kfree_sensitive(ses->auth_key.response); 1558 ses->auth_key.response = NULL; 1559 } 1560 1561 #ifdef CONFIG_CIFS_UPCALL 1562 static void 1563 sess_auth_kerberos(struct sess_data *sess_data) 1564 { 1565 int rc = 0; 1566 struct smb_hdr *smb_buf; 1567 SESSION_SETUP_ANDX *pSMB; 1568 char *bcc_ptr; 1569 struct cifs_ses *ses = sess_data->ses; 1570 struct TCP_Server_Info *server = sess_data->server; 1571 __u32 capabilities; 1572 __u16 bytes_remaining; 1573 struct key *spnego_key = NULL; 1574 struct cifs_spnego_msg *msg; 1575 u16 blob_len; 1576 1577 /* extended security */ 1578 /* wct = 12 */ 1579 rc = sess_alloc_buffer(sess_data, 12); 1580 if (rc) 1581 goto out; 1582 1583 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1584 bcc_ptr = sess_data->iov[2].iov_base; 1585 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1586 1587 spnego_key = cifs_get_spnego_key(ses, server); 1588 if (IS_ERR(spnego_key)) { 1589 rc = PTR_ERR(spnego_key); 1590 spnego_key = NULL; 1591 goto out; 1592 } 1593 1594 msg = spnego_key->payload.data[0]; 1595 /* 1596 * check version field to make sure that cifs.upcall is 1597 * sending us a response in an expected form 1598 */ 1599 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1600 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1601 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1602 rc = -EKEYREJECTED; 1603 goto out_put_spnego_key; 1604 } 1605 1606 kfree_sensitive(ses->auth_key.response); 1607 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1608 GFP_KERNEL); 1609 if (!ses->auth_key.response) { 1610 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1611 msg->sesskey_len); 1612 rc = -ENOMEM; 1613 goto out_put_spnego_key; 1614 } 1615 ses->auth_key.len = msg->sesskey_len; 1616 1617 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1618 capabilities |= CAP_EXTENDED_SECURITY; 1619 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1620 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1621 sess_data->iov[1].iov_len = msg->secblob_len; 1622 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1623 1624 if (ses->capabilities & CAP_UNICODE) { 1625 /* unicode strings must be word aligned */ 1626 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1627 *bcc_ptr = 0; 1628 bcc_ptr++; 1629 } 1630 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1631 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1632 } else { 1633 /* BB: is this right? */ 1634 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1635 } 1636 1637 sess_data->iov[2].iov_len = (long) bcc_ptr - 1638 (long) sess_data->iov[2].iov_base; 1639 1640 rc = sess_sendreceive(sess_data); 1641 if (rc) 1642 goto out_put_spnego_key; 1643 1644 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1645 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1646 1647 if (smb_buf->WordCount != 4) { 1648 rc = -EIO; 1649 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1650 goto out_put_spnego_key; 1651 } 1652 1653 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1654 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1655 1656 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1657 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1658 1659 bytes_remaining = get_bcc(smb_buf); 1660 bcc_ptr = pByteArea(smb_buf); 1661 1662 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1663 if (blob_len > bytes_remaining) { 1664 cifs_dbg(VFS, "bad security blob length %d\n", 1665 blob_len); 1666 rc = -EINVAL; 1667 goto out_put_spnego_key; 1668 } 1669 bcc_ptr += blob_len; 1670 bytes_remaining -= blob_len; 1671 1672 /* BB check if Unicode and decode strings */ 1673 if (bytes_remaining == 0) { 1674 /* no string area to decode, do nothing */ 1675 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1676 /* unicode string area must be word-aligned */ 1677 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1678 ++bcc_ptr; 1679 --bytes_remaining; 1680 } 1681 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1682 sess_data->nls_cp); 1683 } else { 1684 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1685 sess_data->nls_cp); 1686 } 1687 1688 rc = sess_establish_session(sess_data); 1689 out_put_spnego_key: 1690 key_invalidate(spnego_key); 1691 key_put(spnego_key); 1692 out: 1693 sess_data->result = rc; 1694 sess_data->func = NULL; 1695 sess_free_buffer(sess_data); 1696 kfree_sensitive(ses->auth_key.response); 1697 ses->auth_key.response = NULL; 1698 } 1699 1700 #endif /* ! CONFIG_CIFS_UPCALL */ 1701 1702 /* 1703 * The required kvec buffers have to be allocated before calling this 1704 * function. 1705 */ 1706 static int 1707 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1708 { 1709 SESSION_SETUP_ANDX *pSMB; 1710 struct cifs_ses *ses = sess_data->ses; 1711 struct TCP_Server_Info *server = sess_data->server; 1712 __u32 capabilities; 1713 char *bcc_ptr; 1714 1715 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1716 1717 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1718 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1719 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1720 return -ENOSYS; 1721 } 1722 1723 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1724 capabilities |= CAP_EXTENDED_SECURITY; 1725 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1726 1727 bcc_ptr = sess_data->iov[2].iov_base; 1728 /* unicode strings must be word aligned */ 1729 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1730 *bcc_ptr = 0; 1731 bcc_ptr++; 1732 } 1733 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1734 1735 sess_data->iov[2].iov_len = (long) bcc_ptr - 1736 (long) sess_data->iov[2].iov_base; 1737 1738 return 0; 1739 } 1740 1741 static void 1742 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1743 1744 static void 1745 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1746 { 1747 int rc; 1748 struct smb_hdr *smb_buf; 1749 SESSION_SETUP_ANDX *pSMB; 1750 struct cifs_ses *ses = sess_data->ses; 1751 struct TCP_Server_Info *server = sess_data->server; 1752 __u16 bytes_remaining; 1753 char *bcc_ptr; 1754 unsigned char *ntlmsspblob = NULL; 1755 u16 blob_len; 1756 1757 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1758 1759 /* 1760 * if memory allocation is successful, caller of this function 1761 * frees it. 1762 */ 1763 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1764 if (!ses->ntlmssp) { 1765 rc = -ENOMEM; 1766 goto out; 1767 } 1768 ses->ntlmssp->sesskey_per_smbsess = false; 1769 1770 /* wct = 12 */ 1771 rc = sess_alloc_buffer(sess_data, 12); 1772 if (rc) 1773 goto out; 1774 1775 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1776 1777 /* Build security blob before we assemble the request */ 1778 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1779 &blob_len, ses, server, 1780 sess_data->nls_cp); 1781 if (rc) 1782 goto out_free_ntlmsspblob; 1783 1784 sess_data->iov[1].iov_len = blob_len; 1785 sess_data->iov[1].iov_base = ntlmsspblob; 1786 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1787 1788 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1789 if (rc) 1790 goto out_free_ntlmsspblob; 1791 1792 rc = sess_sendreceive(sess_data); 1793 1794 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1795 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1796 1797 /* If true, rc here is expected and not an error */ 1798 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1799 smb_buf->Status.CifsError == 1800 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1801 rc = 0; 1802 1803 if (rc) 1804 goto out_free_ntlmsspblob; 1805 1806 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1807 1808 if (smb_buf->WordCount != 4) { 1809 rc = -EIO; 1810 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1811 goto out_free_ntlmsspblob; 1812 } 1813 1814 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1815 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1816 1817 bytes_remaining = get_bcc(smb_buf); 1818 bcc_ptr = pByteArea(smb_buf); 1819 1820 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1821 if (blob_len > bytes_remaining) { 1822 cifs_dbg(VFS, "bad security blob length %d\n", 1823 blob_len); 1824 rc = -EINVAL; 1825 goto out_free_ntlmsspblob; 1826 } 1827 1828 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1829 1830 out_free_ntlmsspblob: 1831 kfree_sensitive(ntlmsspblob); 1832 out: 1833 sess_free_buffer(sess_data); 1834 1835 if (!rc) { 1836 sess_data->func = sess_auth_rawntlmssp_authenticate; 1837 return; 1838 } 1839 1840 /* Else error. Cleanup */ 1841 kfree_sensitive(ses->auth_key.response); 1842 ses->auth_key.response = NULL; 1843 kfree_sensitive(ses->ntlmssp); 1844 ses->ntlmssp = NULL; 1845 1846 sess_data->func = NULL; 1847 sess_data->result = rc; 1848 } 1849 1850 static void 1851 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1852 { 1853 int rc; 1854 struct smb_hdr *smb_buf; 1855 SESSION_SETUP_ANDX *pSMB; 1856 struct cifs_ses *ses = sess_data->ses; 1857 struct TCP_Server_Info *server = sess_data->server; 1858 __u16 bytes_remaining; 1859 char *bcc_ptr; 1860 unsigned char *ntlmsspblob = NULL; 1861 u16 blob_len; 1862 1863 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1864 1865 /* wct = 12 */ 1866 rc = sess_alloc_buffer(sess_data, 12); 1867 if (rc) 1868 goto out; 1869 1870 /* Build security blob before we assemble the request */ 1871 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1872 smb_buf = (struct smb_hdr *)pSMB; 1873 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1874 &blob_len, ses, server, 1875 sess_data->nls_cp); 1876 if (rc) 1877 goto out_free_ntlmsspblob; 1878 sess_data->iov[1].iov_len = blob_len; 1879 sess_data->iov[1].iov_base = ntlmsspblob; 1880 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1881 /* 1882 * Make sure that we tell the server that we are using 1883 * the uid that it just gave us back on the response 1884 * (challenge) 1885 */ 1886 smb_buf->Uid = ses->Suid; 1887 1888 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1889 if (rc) 1890 goto out_free_ntlmsspblob; 1891 1892 rc = sess_sendreceive(sess_data); 1893 if (rc) 1894 goto out_free_ntlmsspblob; 1895 1896 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1897 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1898 if (smb_buf->WordCount != 4) { 1899 rc = -EIO; 1900 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1901 goto out_free_ntlmsspblob; 1902 } 1903 1904 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1905 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1906 1907 if (ses->Suid != smb_buf->Uid) { 1908 ses->Suid = smb_buf->Uid; 1909 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1910 } 1911 1912 bytes_remaining = get_bcc(smb_buf); 1913 bcc_ptr = pByteArea(smb_buf); 1914 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1915 if (blob_len > bytes_remaining) { 1916 cifs_dbg(VFS, "bad security blob length %d\n", 1917 blob_len); 1918 rc = -EINVAL; 1919 goto out_free_ntlmsspblob; 1920 } 1921 bcc_ptr += blob_len; 1922 bytes_remaining -= blob_len; 1923 1924 1925 /* BB check if Unicode and decode strings */ 1926 if (bytes_remaining == 0) { 1927 /* no string area to decode, do nothing */ 1928 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1929 /* unicode string area must be word-aligned */ 1930 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1931 ++bcc_ptr; 1932 --bytes_remaining; 1933 } 1934 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1935 sess_data->nls_cp); 1936 } else { 1937 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1938 sess_data->nls_cp); 1939 } 1940 1941 out_free_ntlmsspblob: 1942 kfree_sensitive(ntlmsspblob); 1943 out: 1944 sess_free_buffer(sess_data); 1945 1946 if (!rc) 1947 rc = sess_establish_session(sess_data); 1948 1949 /* Cleanup */ 1950 kfree_sensitive(ses->auth_key.response); 1951 ses->auth_key.response = NULL; 1952 kfree_sensitive(ses->ntlmssp); 1953 ses->ntlmssp = NULL; 1954 1955 sess_data->func = NULL; 1956 sess_data->result = rc; 1957 } 1958 1959 static int select_sec(struct sess_data *sess_data) 1960 { 1961 int type; 1962 struct cifs_ses *ses = sess_data->ses; 1963 struct TCP_Server_Info *server = sess_data->server; 1964 1965 type = cifs_select_sectype(server, ses->sectype); 1966 cifs_dbg(FYI, "sess setup type %d\n", type); 1967 if (type == Unspecified) { 1968 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1969 return -EINVAL; 1970 } 1971 1972 switch (type) { 1973 case NTLMv2: 1974 sess_data->func = sess_auth_ntlmv2; 1975 break; 1976 case Kerberos: 1977 #ifdef CONFIG_CIFS_UPCALL 1978 sess_data->func = sess_auth_kerberos; 1979 break; 1980 #else 1981 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1982 return -ENOSYS; 1983 #endif /* CONFIG_CIFS_UPCALL */ 1984 case RawNTLMSSP: 1985 sess_data->func = sess_auth_rawntlmssp_negotiate; 1986 break; 1987 default: 1988 cifs_dbg(VFS, "secType %d not supported!\n", type); 1989 return -ENOSYS; 1990 } 1991 1992 return 0; 1993 } 1994 1995 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1996 struct TCP_Server_Info *server, 1997 const struct nls_table *nls_cp) 1998 { 1999 int rc = 0; 2000 struct sess_data *sess_data; 2001 2002 if (ses == NULL) { 2003 WARN(1, "%s: ses == NULL!", __func__); 2004 return -EINVAL; 2005 } 2006 2007 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 2008 if (!sess_data) 2009 return -ENOMEM; 2010 2011 sess_data->xid = xid; 2012 sess_data->ses = ses; 2013 sess_data->server = server; 2014 sess_data->buf0_type = CIFS_NO_BUFFER; 2015 sess_data->nls_cp = (struct nls_table *) nls_cp; 2016 2017 rc = select_sec(sess_data); 2018 if (rc) 2019 goto out; 2020 2021 while (sess_data->func) 2022 sess_data->func(sess_data); 2023 2024 /* Store result before we free sess_data */ 2025 rc = sess_data->result; 2026 2027 out: 2028 kfree_sensitive(sess_data); 2029 return rc; 2030 } 2031 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 2032