xref: /linux/fs/smb/client/sess.c (revision f6154d8babbb8a98f0d3ea325aafae2e33bfd8be)
1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3  *
4  *   SMB/CIFS session setup handling routines
5  *
6  *   Copyright (c) International Business Machines  Corp., 2006, 2009
7  *   Author(s): Steve French (sfrench@us.ibm.com)
8  *
9  */
10 
11 #include "cifspdu.h"
12 #include "cifsglob.h"
13 #include "cifsproto.h"
14 #include "cifs_unicode.h"
15 #include "cifs_debug.h"
16 #include "ntlmssp.h"
17 #include "nterr.h"
18 #include <linux/utsname.h>
19 #include <linux/slab.h>
20 #include <linux/version.h>
21 #include "cifsfs.h"
22 #include "cifs_spnego.h"
23 #include "smb2proto.h"
24 #include "fs_context.h"
25 
26 static int
27 cifs_ses_add_channel(struct cifs_ses *ses,
28 		     struct cifs_server_iface *iface);
29 
30 bool
31 is_server_using_iface(struct TCP_Server_Info *server,
32 		      struct cifs_server_iface *iface)
33 {
34 	struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr;
35 	struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr;
36 	struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr;
37 	struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr;
38 
39 	if (server->dstaddr.ss_family != iface->sockaddr.ss_family)
40 		return false;
41 	if (server->dstaddr.ss_family == AF_INET) {
42 		if (s4->sin_addr.s_addr != i4->sin_addr.s_addr)
43 			return false;
44 	} else if (server->dstaddr.ss_family == AF_INET6) {
45 		if (memcmp(&s6->sin6_addr, &i6->sin6_addr,
46 			   sizeof(i6->sin6_addr)) != 0)
47 			return false;
48 	} else {
49 		/* unknown family.. */
50 		return false;
51 	}
52 	return true;
53 }
54 
55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface)
56 {
57 	int i;
58 
59 	spin_lock(&ses->chan_lock);
60 	for (i = 0; i < ses->chan_count; i++) {
61 		if (ses->chans[i].iface == iface) {
62 			spin_unlock(&ses->chan_lock);
63 			return true;
64 		}
65 	}
66 	spin_unlock(&ses->chan_lock);
67 	return false;
68 }
69 
70 /* channel helper functions. assumed that chan_lock is held by caller. */
71 
72 int
73 cifs_ses_get_chan_index(struct cifs_ses *ses,
74 			struct TCP_Server_Info *server)
75 {
76 	unsigned int i;
77 
78 	for (i = 0; i < ses->chan_count; i++) {
79 		if (ses->chans[i].server == server)
80 			return i;
81 	}
82 
83 	/* If we didn't find the channel, it is likely a bug */
84 	if (server)
85 		cifs_dbg(VFS, "unable to get chan index for server: 0x%llx",
86 			 server->conn_id);
87 	WARN_ON(1);
88 	return CIFS_INVAL_CHAN_INDEX;
89 }
90 
91 void
92 cifs_chan_set_in_reconnect(struct cifs_ses *ses,
93 			     struct TCP_Server_Info *server)
94 {
95 	int chan_index = cifs_ses_get_chan_index(ses, server);
96 
97 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
98 		return;
99 
100 	ses->chans[chan_index].in_reconnect = true;
101 }
102 
103 void
104 cifs_chan_clear_in_reconnect(struct cifs_ses *ses,
105 			     struct TCP_Server_Info *server)
106 {
107 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
108 
109 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
110 		return;
111 
112 	ses->chans[chan_index].in_reconnect = false;
113 }
114 
115 bool
116 cifs_chan_in_reconnect(struct cifs_ses *ses,
117 			  struct TCP_Server_Info *server)
118 {
119 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
120 
121 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
122 		return true;	/* err on the safer side */
123 
124 	return CIFS_CHAN_IN_RECONNECT(ses, chan_index);
125 }
126 
127 void
128 cifs_chan_set_need_reconnect(struct cifs_ses *ses,
129 			     struct TCP_Server_Info *server)
130 {
131 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
132 
133 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
134 		return;
135 
136 	set_bit(chan_index, &ses->chans_need_reconnect);
137 	cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n",
138 		 chan_index, ses->chans_need_reconnect);
139 }
140 
141 void
142 cifs_chan_clear_need_reconnect(struct cifs_ses *ses,
143 			       struct TCP_Server_Info *server)
144 {
145 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
146 
147 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
148 		return;
149 
150 	clear_bit(chan_index, &ses->chans_need_reconnect);
151 	cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n",
152 		 chan_index, ses->chans_need_reconnect);
153 }
154 
155 bool
156 cifs_chan_needs_reconnect(struct cifs_ses *ses,
157 			  struct TCP_Server_Info *server)
158 {
159 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
160 
161 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
162 		return true;	/* err on the safer side */
163 
164 	return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index);
165 }
166 
167 bool
168 cifs_chan_is_iface_active(struct cifs_ses *ses,
169 			  struct TCP_Server_Info *server)
170 {
171 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
172 
173 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
174 		return true;	/* err on the safer side */
175 
176 	return ses->chans[chan_index].iface &&
177 		ses->chans[chan_index].iface->is_active;
178 }
179 
180 /* returns number of channels added */
181 int cifs_try_adding_channels(struct cifs_ses *ses)
182 {
183 	struct TCP_Server_Info *server = ses->server;
184 	int old_chan_count, new_chan_count;
185 	int left;
186 	int rc = 0;
187 	int tries = 0;
188 	size_t iface_weight = 0, iface_min_speed = 0;
189 	struct cifs_server_iface *iface = NULL, *niface = NULL;
190 	struct cifs_server_iface *last_iface = NULL;
191 
192 	spin_lock(&ses->chan_lock);
193 
194 	new_chan_count = old_chan_count = ses->chan_count;
195 	left = ses->chan_max - ses->chan_count;
196 
197 	if (left <= 0) {
198 		spin_unlock(&ses->chan_lock);
199 		cifs_dbg(FYI,
200 			 "ses already at max_channels (%zu), nothing to open\n",
201 			 ses->chan_max);
202 		return 0;
203 	}
204 
205 	if (server->dialect < SMB30_PROT_ID) {
206 		spin_unlock(&ses->chan_lock);
207 		cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
208 		return 0;
209 	}
210 
211 	if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
212 		spin_unlock(&ses->chan_lock);
213 		cifs_server_dbg(VFS, "no multichannel support\n");
214 		return 0;
215 	}
216 	spin_unlock(&ses->chan_lock);
217 
218 	while (left > 0) {
219 
220 		tries++;
221 		if (tries > 3*ses->chan_max) {
222 			cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n",
223 				 left);
224 			break;
225 		}
226 
227 		spin_lock(&ses->iface_lock);
228 		if (!ses->iface_count) {
229 			spin_unlock(&ses->iface_lock);
230 			cifs_dbg(VFS, "server %s does not advertise interfaces\n",
231 				      ses->server->hostname);
232 			break;
233 		}
234 
235 		if (!iface)
236 			iface = list_first_entry(&ses->iface_list, struct cifs_server_iface,
237 						 iface_head);
238 		last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
239 					     iface_head);
240 		iface_min_speed = last_iface->speed;
241 
242 		list_for_each_entry_safe_from(iface, niface, &ses->iface_list,
243 				    iface_head) {
244 			/* do not mix rdma and non-rdma interfaces */
245 			if (iface->rdma_capable != ses->server->rdma)
246 				continue;
247 
248 			/* skip ifaces that are unusable */
249 			if (!iface->is_active ||
250 			    (is_ses_using_iface(ses, iface) &&
251 			     !iface->rss_capable))
252 				continue;
253 
254 			/* check if we already allocated enough channels */
255 			iface_weight = iface->speed / iface_min_speed;
256 
257 			if (iface->weight_fulfilled >= iface_weight)
258 				continue;
259 
260 			/* take ref before unlock */
261 			kref_get(&iface->refcount);
262 
263 			spin_unlock(&ses->iface_lock);
264 			rc = cifs_ses_add_channel(ses, iface);
265 			spin_lock(&ses->iface_lock);
266 
267 			if (rc) {
268 				cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n",
269 					 &iface->sockaddr,
270 					 rc);
271 				kref_put(&iface->refcount, release_iface);
272 				continue;
273 			}
274 
275 			iface->num_channels++;
276 			iface->weight_fulfilled++;
277 			cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n",
278 				 &iface->sockaddr);
279 			break;
280 		}
281 
282 		/* reached end of list. reset weight_fulfilled and start over */
283 		if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
284 			list_for_each_entry(iface, &ses->iface_list, iface_head)
285 				iface->weight_fulfilled = 0;
286 			spin_unlock(&ses->iface_lock);
287 			iface = NULL;
288 			continue;
289 		}
290 		spin_unlock(&ses->iface_lock);
291 
292 		left--;
293 		new_chan_count++;
294 	}
295 
296 	return new_chan_count - old_chan_count;
297 }
298 
299 /*
300  * called when multichannel is disabled by the server.
301  * this always gets called from smb2_reconnect
302  * and cannot get called in parallel threads.
303  */
304 void
305 cifs_disable_secondary_channels(struct cifs_ses *ses)
306 {
307 	int i, chan_count;
308 	struct TCP_Server_Info *server;
309 	struct cifs_server_iface *iface;
310 
311 	spin_lock(&ses->chan_lock);
312 	chan_count = ses->chan_count;
313 	if (chan_count == 1)
314 		goto done;
315 
316 	ses->chan_count = 1;
317 
318 	/* for all secondary channels reset the need reconnect bit */
319 	ses->chans_need_reconnect &= 1;
320 
321 	for (i = 1; i < chan_count; i++) {
322 		iface = ses->chans[i].iface;
323 		server = ses->chans[i].server;
324 
325 		/*
326 		 * remove these references first, since we need to unlock
327 		 * the chan_lock here, since iface_lock is a higher lock
328 		 */
329 		ses->chans[i].iface = NULL;
330 		ses->chans[i].server = NULL;
331 		spin_unlock(&ses->chan_lock);
332 
333 		if (iface) {
334 			spin_lock(&ses->iface_lock);
335 			iface->num_channels--;
336 			if (iface->weight_fulfilled)
337 				iface->weight_fulfilled--;
338 			kref_put(&iface->refcount, release_iface);
339 			spin_unlock(&ses->iface_lock);
340 		}
341 
342 		if (server) {
343 			if (!server->terminate) {
344 				server->terminate = true;
345 				cifs_signal_cifsd_for_reconnect(server, false);
346 			}
347 			cifs_put_tcp_session(server, false);
348 		}
349 
350 		spin_lock(&ses->chan_lock);
351 	}
352 
353 done:
354 	spin_unlock(&ses->chan_lock);
355 }
356 
357 /*
358  * update the iface for the channel if necessary.
359  * will return 0 when iface is updated, 1 if removed, 2 otherwise
360  * Must be called with chan_lock held.
361  */
362 int
363 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server)
364 {
365 	unsigned int chan_index;
366 	size_t iface_weight = 0, iface_min_speed = 0;
367 	struct cifs_server_iface *iface = NULL;
368 	struct cifs_server_iface *old_iface = NULL;
369 	struct cifs_server_iface *last_iface = NULL;
370 	struct sockaddr_storage ss;
371 	int rc = 0;
372 
373 	spin_lock(&ses->chan_lock);
374 	chan_index = cifs_ses_get_chan_index(ses, server);
375 	if (chan_index == CIFS_INVAL_CHAN_INDEX) {
376 		spin_unlock(&ses->chan_lock);
377 		return 0;
378 	}
379 
380 	if (ses->chans[chan_index].iface) {
381 		old_iface = ses->chans[chan_index].iface;
382 		if (old_iface->is_active) {
383 			spin_unlock(&ses->chan_lock);
384 			return 1;
385 		}
386 	}
387 	spin_unlock(&ses->chan_lock);
388 
389 	spin_lock(&server->srv_lock);
390 	ss = server->dstaddr;
391 	spin_unlock(&server->srv_lock);
392 
393 	spin_lock(&ses->iface_lock);
394 	if (!ses->iface_count) {
395 		spin_unlock(&ses->iface_lock);
396 		cifs_dbg(VFS, "server %s does not advertise interfaces\n", ses->server->hostname);
397 		return 0;
398 	}
399 
400 	last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
401 				     iface_head);
402 	iface_min_speed = last_iface->speed;
403 
404 	/* then look for a new one */
405 	list_for_each_entry(iface, &ses->iface_list, iface_head) {
406 		if (!chan_index) {
407 			/* if we're trying to get the updated iface for primary channel */
408 			if (!cifs_match_ipaddr((struct sockaddr *) &ss,
409 					       (struct sockaddr *) &iface->sockaddr))
410 				continue;
411 
412 			kref_get(&iface->refcount);
413 			break;
414 		}
415 
416 		/* do not mix rdma and non-rdma interfaces */
417 		if (iface->rdma_capable != server->rdma)
418 			continue;
419 
420 		if (!iface->is_active ||
421 		    (is_ses_using_iface(ses, iface) &&
422 		     !iface->rss_capable)) {
423 			continue;
424 		}
425 
426 		/* check if we already allocated enough channels */
427 		iface_weight = iface->speed / iface_min_speed;
428 
429 		if (iface->weight_fulfilled >= iface_weight)
430 			continue;
431 
432 		kref_get(&iface->refcount);
433 		break;
434 	}
435 
436 	if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
437 		rc = 1;
438 		iface = NULL;
439 		cifs_dbg(FYI, "unable to find a suitable iface\n");
440 	}
441 
442 	if (!chan_index && !iface) {
443 		cifs_dbg(FYI, "unable to get the interface matching: %pIS\n",
444 			 &ss);
445 		spin_unlock(&ses->iface_lock);
446 		return 0;
447 	}
448 
449 	/* now drop the ref to the current iface */
450 	if (old_iface && iface) {
451 		cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
452 			 &old_iface->sockaddr,
453 			 &iface->sockaddr);
454 
455 		old_iface->num_channels--;
456 		if (old_iface->weight_fulfilled)
457 			old_iface->weight_fulfilled--;
458 		iface->num_channels++;
459 		iface->weight_fulfilled++;
460 
461 		kref_put(&old_iface->refcount, release_iface);
462 	} else if (old_iface) {
463 		cifs_dbg(FYI, "releasing ref to iface: %pIS\n",
464 			 &old_iface->sockaddr);
465 
466 		old_iface->num_channels--;
467 		if (old_iface->weight_fulfilled)
468 			old_iface->weight_fulfilled--;
469 
470 		kref_put(&old_iface->refcount, release_iface);
471 	} else if (!chan_index) {
472 		/* special case: update interface for primary channel */
473 		cifs_dbg(FYI, "referencing primary channel iface: %pIS\n",
474 			 &iface->sockaddr);
475 		iface->num_channels++;
476 		iface->weight_fulfilled++;
477 	} else {
478 		WARN_ON(!iface);
479 		cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr);
480 	}
481 	spin_unlock(&ses->iface_lock);
482 
483 	spin_lock(&ses->chan_lock);
484 	chan_index = cifs_ses_get_chan_index(ses, server);
485 	if (chan_index == CIFS_INVAL_CHAN_INDEX) {
486 		spin_unlock(&ses->chan_lock);
487 		return 0;
488 	}
489 
490 	ses->chans[chan_index].iface = iface;
491 
492 	/* No iface is found. if secondary chan, drop connection */
493 	if (!iface && SERVER_IS_CHAN(server))
494 		ses->chans[chan_index].server = NULL;
495 
496 	spin_unlock(&ses->chan_lock);
497 
498 	if (!iface && SERVER_IS_CHAN(server))
499 		cifs_put_tcp_session(server, false);
500 
501 	return rc;
502 }
503 
504 /*
505  * If server is a channel of ses, return the corresponding enclosing
506  * cifs_chan otherwise return NULL.
507  */
508 struct cifs_chan *
509 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server)
510 {
511 	int i;
512 
513 	spin_lock(&ses->chan_lock);
514 	for (i = 0; i < ses->chan_count; i++) {
515 		if (ses->chans[i].server == server) {
516 			spin_unlock(&ses->chan_lock);
517 			return &ses->chans[i];
518 		}
519 	}
520 	spin_unlock(&ses->chan_lock);
521 	return NULL;
522 }
523 
524 static int
525 cifs_ses_add_channel(struct cifs_ses *ses,
526 		     struct cifs_server_iface *iface)
527 {
528 	struct TCP_Server_Info *chan_server;
529 	struct cifs_chan *chan;
530 	struct smb3_fs_context *ctx;
531 	static const char unc_fmt[] = "\\%s\\foo";
532 	struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
533 	struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
534 	size_t len;
535 	int rc;
536 	unsigned int xid = get_xid();
537 
538 	if (iface->sockaddr.ss_family == AF_INET)
539 		cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
540 			 ses, iface->speed, iface->rdma_capable ? "yes" : "no",
541 			 &ipv4->sin_addr);
542 	else
543 		cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
544 			 ses, iface->speed, iface->rdma_capable ? "yes" : "no",
545 			 &ipv6->sin6_addr);
546 
547 	/*
548 	 * Setup a ctx with mostly the same info as the existing
549 	 * session and overwrite it with the requested iface data.
550 	 *
551 	 * We need to setup at least the fields used for negprot and
552 	 * sesssetup.
553 	 *
554 	 * We only need the ctx here, so we can reuse memory from
555 	 * the session and server without caring about memory
556 	 * management.
557 	 */
558 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
559 	if (!ctx) {
560 		rc = -ENOMEM;
561 		goto out_free_xid;
562 	}
563 
564 	/* Always make new connection for now (TODO?) */
565 	ctx->nosharesock = true;
566 
567 	/* Auth */
568 	ctx->domainauto = ses->domainAuto;
569 	ctx->domainname = ses->domainName;
570 
571 	/* no hostname for extra channels */
572 	ctx->server_hostname = "";
573 
574 	ctx->username = ses->user_name;
575 	ctx->password = ses->password;
576 	ctx->sectype = ses->sectype;
577 	ctx->sign = ses->sign;
578 
579 	/* UNC and paths */
580 	/* XXX: Use ses->server->hostname? */
581 	len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL;
582 	ctx->UNC = kzalloc(len, GFP_KERNEL);
583 	if (!ctx->UNC) {
584 		rc = -ENOMEM;
585 		goto out_free_ctx;
586 	}
587 	scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr);
588 	ctx->prepath = "";
589 
590 	/* Reuse same version as master connection */
591 	ctx->vals = ses->server->vals;
592 	ctx->ops = ses->server->ops;
593 
594 	ctx->noblocksnd = ses->server->noblocksnd;
595 	ctx->noautotune = ses->server->noautotune;
596 	ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
597 	ctx->echo_interval = ses->server->echo_interval / HZ;
598 	ctx->max_credits = ses->server->max_credits;
599 
600 	/*
601 	 * This will be used for encoding/decoding user/domain/pw
602 	 * during sess setup auth.
603 	 */
604 	ctx->local_nls = ses->local_nls;
605 
606 	/* Use RDMA if possible */
607 	ctx->rdma = iface->rdma_capable;
608 	memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr));
609 
610 	/* reuse master con client guid */
611 	memcpy(&ctx->client_guid, ses->server->client_guid,
612 	       sizeof(ctx->client_guid));
613 	ctx->use_client_guid = true;
614 
615 	chan_server = cifs_get_tcp_session(ctx, ses->server);
616 
617 	spin_lock(&ses->chan_lock);
618 	chan = &ses->chans[ses->chan_count];
619 	chan->server = chan_server;
620 	if (IS_ERR(chan->server)) {
621 		rc = PTR_ERR(chan->server);
622 		chan->server = NULL;
623 		spin_unlock(&ses->chan_lock);
624 		goto out;
625 	}
626 	chan->iface = iface;
627 	ses->chan_count++;
628 	atomic_set(&ses->chan_seq, 0);
629 
630 	/* Mark this channel as needing connect/setup */
631 	cifs_chan_set_need_reconnect(ses, chan->server);
632 
633 	spin_unlock(&ses->chan_lock);
634 
635 	mutex_lock(&ses->session_mutex);
636 	/*
637 	 * We need to allocate the server crypto now as we will need
638 	 * to sign packets before we generate the channel signing key
639 	 * (we sign with the session key)
640 	 */
641 	rc = smb311_crypto_shash_allocate(chan->server);
642 	if (rc) {
643 		cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
644 		mutex_unlock(&ses->session_mutex);
645 		goto out;
646 	}
647 
648 	rc = cifs_negotiate_protocol(xid, ses, chan->server);
649 	if (!rc)
650 		rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls);
651 
652 	mutex_unlock(&ses->session_mutex);
653 
654 out:
655 	if (rc && chan->server) {
656 		cifs_put_tcp_session(chan->server, 0);
657 
658 		spin_lock(&ses->chan_lock);
659 
660 		/* we rely on all bits beyond chan_count to be clear */
661 		cifs_chan_clear_need_reconnect(ses, chan->server);
662 		ses->chan_count--;
663 		/*
664 		 * chan_count should never reach 0 as at least the primary
665 		 * channel is always allocated
666 		 */
667 		WARN_ON(ses->chan_count < 1);
668 		spin_unlock(&ses->chan_lock);
669 	}
670 
671 	kfree(ctx->UNC);
672 out_free_ctx:
673 	kfree(ctx);
674 out_free_xid:
675 	free_xid(xid);
676 	return rc;
677 }
678 
679 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
680 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
681 			     struct TCP_Server_Info *server,
682 			     SESSION_SETUP_ANDX *pSMB)
683 {
684 	__u32 capabilities = 0;
685 
686 	/* init fields common to all four types of SessSetup */
687 	/* Note that offsets for first seven fields in req struct are same  */
688 	/*	in CIFS Specs so does not matter which of 3 forms of struct */
689 	/*	that we use in next few lines                               */
690 	/* Note that header is initialized to zero in header_assemble */
691 	pSMB->req.AndXCommand = 0xFF;
692 	pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
693 					CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
694 					USHRT_MAX));
695 	pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);
696 	pSMB->req.VcNumber = cpu_to_le16(1);
697 
698 	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
699 
700 	/* BB verify whether signing required on neg or just auth frame (and NTLM case) */
701 
702 	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
703 			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
704 
705 	if (server->sign)
706 		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
707 
708 	if (ses->capabilities & CAP_UNICODE) {
709 		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
710 		capabilities |= CAP_UNICODE;
711 	}
712 	if (ses->capabilities & CAP_STATUS32) {
713 		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
714 		capabilities |= CAP_STATUS32;
715 	}
716 	if (ses->capabilities & CAP_DFS) {
717 		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
718 		capabilities |= CAP_DFS;
719 	}
720 	if (ses->capabilities & CAP_UNIX)
721 		capabilities |= CAP_UNIX;
722 
723 	return capabilities;
724 }
725 
726 static void
727 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
728 {
729 	char *bcc_ptr = *pbcc_area;
730 	int bytes_ret = 0;
731 
732 	/* Copy OS version */
733 	bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
734 				    nls_cp);
735 	bcc_ptr += 2 * bytes_ret;
736 	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
737 				    32, nls_cp);
738 	bcc_ptr += 2 * bytes_ret;
739 	bcc_ptr += 2; /* trailing null */
740 
741 	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
742 				    32, nls_cp);
743 	bcc_ptr += 2 * bytes_ret;
744 	bcc_ptr += 2; /* trailing null */
745 
746 	*pbcc_area = bcc_ptr;
747 }
748 
749 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
750 				   const struct nls_table *nls_cp)
751 {
752 	char *bcc_ptr = *pbcc_area;
753 	int bytes_ret = 0;
754 
755 	/* copy domain */
756 	if (ses->domainName == NULL) {
757 		/*
758 		 * Sending null domain better than using a bogus domain name (as
759 		 * we did briefly in 2.6.18) since server will use its default
760 		 */
761 		*bcc_ptr = 0;
762 		*(bcc_ptr+1) = 0;
763 		bytes_ret = 0;
764 	} else
765 		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
766 					    CIFS_MAX_DOMAINNAME_LEN, nls_cp);
767 	bcc_ptr += 2 * bytes_ret;
768 	bcc_ptr += 2;  /* account for null terminator */
769 
770 	*pbcc_area = bcc_ptr;
771 }
772 
773 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
774 				   const struct nls_table *nls_cp)
775 {
776 	char *bcc_ptr = *pbcc_area;
777 	int bytes_ret = 0;
778 
779 	/* BB FIXME add check that strings less than 335 or will need to send as arrays */
780 
781 	/* copy user */
782 	if (ses->user_name == NULL) {
783 		/* null user mount */
784 		*bcc_ptr = 0;
785 		*(bcc_ptr+1) = 0;
786 	} else {
787 		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
788 					    CIFS_MAX_USERNAME_LEN, nls_cp);
789 	}
790 	bcc_ptr += 2 * bytes_ret;
791 	bcc_ptr += 2; /* account for null termination */
792 
793 	unicode_domain_string(&bcc_ptr, ses, nls_cp);
794 	unicode_oslm_strings(&bcc_ptr, nls_cp);
795 
796 	*pbcc_area = bcc_ptr;
797 }
798 
799 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
800 				 const struct nls_table *nls_cp)
801 {
802 	char *bcc_ptr = *pbcc_area;
803 	int len;
804 
805 	/* copy user */
806 	/* BB what about null user mounts - check that we do this BB */
807 	/* copy user */
808 	if (ses->user_name != NULL) {
809 		len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
810 		if (WARN_ON_ONCE(len < 0))
811 			len = CIFS_MAX_USERNAME_LEN - 1;
812 		bcc_ptr += len;
813 	}
814 	/* else null user mount */
815 	*bcc_ptr = 0;
816 	bcc_ptr++; /* account for null termination */
817 
818 	/* copy domain */
819 	if (ses->domainName != NULL) {
820 		len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
821 		if (WARN_ON_ONCE(len < 0))
822 			len = CIFS_MAX_DOMAINNAME_LEN - 1;
823 		bcc_ptr += len;
824 	} /* else we send a null domain name so server will default to its own domain */
825 	*bcc_ptr = 0;
826 	bcc_ptr++;
827 
828 	/* BB check for overflow here */
829 
830 	strcpy(bcc_ptr, "Linux version ");
831 	bcc_ptr += strlen("Linux version ");
832 	strcpy(bcc_ptr, init_utsname()->release);
833 	bcc_ptr += strlen(init_utsname()->release) + 1;
834 
835 	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
836 	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
837 
838 	*pbcc_area = bcc_ptr;
839 }
840 
841 static void
842 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
843 		      const struct nls_table *nls_cp)
844 {
845 	int len;
846 	char *data = *pbcc_area;
847 
848 	cifs_dbg(FYI, "bleft %d\n", bleft);
849 
850 	kfree(ses->serverOS);
851 	ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
852 	cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
853 	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
854 	data += len;
855 	bleft -= len;
856 	if (bleft <= 0)
857 		return;
858 
859 	kfree(ses->serverNOS);
860 	ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
861 	cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
862 	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
863 	data += len;
864 	bleft -= len;
865 	if (bleft <= 0)
866 		return;
867 
868 	kfree(ses->serverDomain);
869 	ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
870 	cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
871 
872 	return;
873 }
874 
875 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
876 				struct cifs_ses *ses,
877 				const struct nls_table *nls_cp)
878 {
879 	int len;
880 	char *bcc_ptr = *pbcc_area;
881 
882 	cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
883 
884 	len = strnlen(bcc_ptr, bleft);
885 	if (len >= bleft)
886 		return;
887 
888 	kfree(ses->serverOS);
889 
890 	ses->serverOS = kmalloc(len + 1, GFP_KERNEL);
891 	if (ses->serverOS) {
892 		memcpy(ses->serverOS, bcc_ptr, len);
893 		ses->serverOS[len] = 0;
894 		if (strncmp(ses->serverOS, "OS/2", 4) == 0)
895 			cifs_dbg(FYI, "OS/2 server\n");
896 	}
897 
898 	bcc_ptr += len + 1;
899 	bleft -= len + 1;
900 
901 	len = strnlen(bcc_ptr, bleft);
902 	if (len >= bleft)
903 		return;
904 
905 	kfree(ses->serverNOS);
906 
907 	ses->serverNOS = kmalloc(len + 1, GFP_KERNEL);
908 	if (ses->serverNOS) {
909 		memcpy(ses->serverNOS, bcc_ptr, len);
910 		ses->serverNOS[len] = 0;
911 	}
912 
913 	bcc_ptr += len + 1;
914 	bleft -= len + 1;
915 
916 	len = strnlen(bcc_ptr, bleft);
917 	if (len > bleft)
918 		return;
919 
920 	/*
921 	 * No domain field in LANMAN case. Domain is
922 	 * returned by old servers in the SMB negprot response
923 	 *
924 	 * BB For newer servers which do not support Unicode,
925 	 * but thus do return domain here, we could add parsing
926 	 * for it later, but it is not very important
927 	 */
928 	cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
929 }
930 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
931 
932 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
933 				    struct cifs_ses *ses)
934 {
935 	unsigned int tioffset; /* challenge message target info area */
936 	unsigned int tilen; /* challenge message target info area length  */
937 	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
938 	__u32 server_flags;
939 
940 	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
941 		cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
942 		return -EINVAL;
943 	}
944 
945 	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
946 		cifs_dbg(VFS, "blob signature incorrect %s\n",
947 			 pblob->Signature);
948 		return -EINVAL;
949 	}
950 	if (pblob->MessageType != NtLmChallenge) {
951 		cifs_dbg(VFS, "Incorrect message type %d\n",
952 			 pblob->MessageType);
953 		return -EINVAL;
954 	}
955 
956 	server_flags = le32_to_cpu(pblob->NegotiateFlags);
957 	cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__,
958 		 ses->ntlmssp->client_flags, server_flags);
959 
960 	if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) &&
961 	    (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) {
962 		cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n",
963 			 __func__);
964 		return -EINVAL;
965 	}
966 	if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) {
967 		cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__);
968 		return -EINVAL;
969 	}
970 	if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) {
971 		cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n",
972 			 __func__);
973 		return -EOPNOTSUPP;
974 	}
975 	if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
976 	    !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH))
977 		pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n",
978 			     __func__);
979 
980 	ses->ntlmssp->server_flags = server_flags;
981 
982 	memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
983 	/*
984 	 * In particular we can examine sign flags
985 	 *
986 	 * BB spec says that if AvId field of MsvAvTimestamp is populated then
987 	 * we must set the MIC field of the AUTHENTICATE_MESSAGE
988 	 */
989 
990 	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
991 	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
992 	if (tioffset > blob_len || tioffset + tilen > blob_len) {
993 		cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
994 			 tioffset, tilen);
995 		return -EINVAL;
996 	}
997 	if (tilen) {
998 		kfree_sensitive(ses->auth_key.response);
999 		ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
1000 						 GFP_KERNEL);
1001 		if (!ses->auth_key.response) {
1002 			cifs_dbg(VFS, "Challenge target info alloc failure\n");
1003 			return -ENOMEM;
1004 		}
1005 		ses->auth_key.len = tilen;
1006 	}
1007 
1008 	return 0;
1009 }
1010 
1011 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size)
1012 {
1013 	int sz = base_size + ses->auth_key.len
1014 		- CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
1015 
1016 	if (ses->domainName)
1017 		sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
1018 	else
1019 		sz += sizeof(__le16);
1020 
1021 	if (ses->user_name)
1022 		sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
1023 	else
1024 		sz += sizeof(__le16);
1025 
1026 	if (ses->workstation_name[0])
1027 		sz += sizeof(__le16) * strnlen(ses->workstation_name,
1028 					       ntlmssp_workstation_name_size(ses));
1029 	else
1030 		sz += sizeof(__le16);
1031 
1032 	return sz;
1033 }
1034 
1035 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf,
1036 						 char *str_value,
1037 						 int str_length,
1038 						 unsigned char *pstart,
1039 						 unsigned char **pcur,
1040 						 const struct nls_table *nls_cp)
1041 {
1042 	unsigned char *tmp = pstart;
1043 	int len;
1044 
1045 	if (!pbuf)
1046 		return;
1047 
1048 	if (!pcur)
1049 		pcur = &tmp;
1050 
1051 	if (!str_value) {
1052 		pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1053 		pbuf->Length = 0;
1054 		pbuf->MaximumLength = 0;
1055 		*pcur += sizeof(__le16);
1056 	} else {
1057 		len = cifs_strtoUTF16((__le16 *)*pcur,
1058 				      str_value,
1059 				      str_length,
1060 				      nls_cp);
1061 		len *= sizeof(__le16);
1062 		pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1063 		pbuf->Length = cpu_to_le16(len);
1064 		pbuf->MaximumLength = cpu_to_le16(len);
1065 		*pcur += len;
1066 	}
1067 }
1068 
1069 /* BB Move to ntlmssp.c eventually */
1070 
1071 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer,
1072 				 u16 *buflen,
1073 				 struct cifs_ses *ses,
1074 				 struct TCP_Server_Info *server,
1075 				 const struct nls_table *nls_cp)
1076 {
1077 	int rc = 0;
1078 	NEGOTIATE_MESSAGE *sec_blob;
1079 	__u32 flags;
1080 	unsigned char *tmp;
1081 	int len;
1082 
1083 	len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE));
1084 	*pbuffer = kmalloc(len, GFP_KERNEL);
1085 	if (!*pbuffer) {
1086 		rc = -ENOMEM;
1087 		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1088 		*buflen = 0;
1089 		goto setup_ntlm_neg_ret;
1090 	}
1091 	sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer;
1092 
1093 	memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
1094 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1095 	sec_blob->MessageType = NtLmNegotiate;
1096 
1097 	/* BB is NTLMV2 session security format easier to use here? */
1098 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
1099 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1100 		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1101 		NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1102 		NTLMSSP_NEGOTIATE_SIGN;
1103 	if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1104 		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1105 
1106 	tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE);
1107 	ses->ntlmssp->client_flags = flags;
1108 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1109 
1110 	/* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1111 	cifs_security_buffer_from_str(&sec_blob->DomainName,
1112 				      NULL,
1113 				      CIFS_MAX_DOMAINNAME_LEN,
1114 				      *pbuffer, &tmp,
1115 				      nls_cp);
1116 
1117 	cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1118 				      NULL,
1119 				      CIFS_MAX_WORKSTATION_LEN,
1120 				      *pbuffer, &tmp,
1121 				      nls_cp);
1122 
1123 	*buflen = tmp - *pbuffer;
1124 setup_ntlm_neg_ret:
1125 	return rc;
1126 }
1127 
1128 /*
1129  * Build ntlmssp blob with additional fields, such as version,
1130  * supported by modern servers. For safety limit to SMB3 or later
1131  * See notes in MS-NLMP Section 2.2.2.1 e.g.
1132  */
1133 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
1134 				 u16 *buflen,
1135 				 struct cifs_ses *ses,
1136 				 struct TCP_Server_Info *server,
1137 				 const struct nls_table *nls_cp)
1138 {
1139 	int rc = 0;
1140 	struct negotiate_message *sec_blob;
1141 	__u32 flags;
1142 	unsigned char *tmp;
1143 	int len;
1144 
1145 	len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message));
1146 	*pbuffer = kmalloc(len, GFP_KERNEL);
1147 	if (!*pbuffer) {
1148 		rc = -ENOMEM;
1149 		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1150 		*buflen = 0;
1151 		goto setup_ntlm_smb3_neg_ret;
1152 	}
1153 	sec_blob = (struct negotiate_message *)*pbuffer;
1154 
1155 	memset(*pbuffer, 0, sizeof(struct negotiate_message));
1156 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1157 	sec_blob->MessageType = NtLmNegotiate;
1158 
1159 	/* BB is NTLMV2 session security format easier to use here? */
1160 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
1161 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1162 		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1163 		NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1164 		NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION;
1165 	if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1166 		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1167 
1168 	sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1169 	sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1170 	sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1171 	sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1172 
1173 	tmp = *pbuffer + sizeof(struct negotiate_message);
1174 	ses->ntlmssp->client_flags = flags;
1175 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1176 
1177 	/* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1178 	cifs_security_buffer_from_str(&sec_blob->DomainName,
1179 				      NULL,
1180 				      CIFS_MAX_DOMAINNAME_LEN,
1181 				      *pbuffer, &tmp,
1182 				      nls_cp);
1183 
1184 	cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1185 				      NULL,
1186 				      CIFS_MAX_WORKSTATION_LEN,
1187 				      *pbuffer, &tmp,
1188 				      nls_cp);
1189 
1190 	*buflen = tmp - *pbuffer;
1191 setup_ntlm_smb3_neg_ret:
1192 	return rc;
1193 }
1194 
1195 
1196 /* See MS-NLMP 2.2.1.3 */
1197 int build_ntlmssp_auth_blob(unsigned char **pbuffer,
1198 					u16 *buflen,
1199 				   struct cifs_ses *ses,
1200 				   struct TCP_Server_Info *server,
1201 				   const struct nls_table *nls_cp)
1202 {
1203 	int rc;
1204 	AUTHENTICATE_MESSAGE *sec_blob;
1205 	__u32 flags;
1206 	unsigned char *tmp;
1207 	int len;
1208 
1209 	rc = setup_ntlmv2_rsp(ses, nls_cp);
1210 	if (rc) {
1211 		cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
1212 		*buflen = 0;
1213 		goto setup_ntlmv2_ret;
1214 	}
1215 
1216 	len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE));
1217 	*pbuffer = kmalloc(len, GFP_KERNEL);
1218 	if (!*pbuffer) {
1219 		rc = -ENOMEM;
1220 		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1221 		*buflen = 0;
1222 		goto setup_ntlmv2_ret;
1223 	}
1224 	sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
1225 
1226 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1227 	sec_blob->MessageType = NtLmAuthenticate;
1228 
1229 	/* send version information in ntlmssp authenticate also */
1230 	flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET |
1231 		NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION |
1232 		NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
1233 
1234 	sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1235 	sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1236 	sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1237 	sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1238 
1239 	tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
1240 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1241 
1242 	sec_blob->LmChallengeResponse.BufferOffset =
1243 				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
1244 	sec_blob->LmChallengeResponse.Length = 0;
1245 	sec_blob->LmChallengeResponse.MaximumLength = 0;
1246 
1247 	sec_blob->NtChallengeResponse.BufferOffset =
1248 				cpu_to_le32(tmp - *pbuffer);
1249 	if (ses->user_name != NULL) {
1250 		memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1251 				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1252 		tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1253 
1254 		sec_blob->NtChallengeResponse.Length =
1255 				cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1256 		sec_blob->NtChallengeResponse.MaximumLength =
1257 				cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1258 	} else {
1259 		/*
1260 		 * don't send an NT Response for anonymous access
1261 		 */
1262 		sec_blob->NtChallengeResponse.Length = 0;
1263 		sec_blob->NtChallengeResponse.MaximumLength = 0;
1264 	}
1265 
1266 	cifs_security_buffer_from_str(&sec_blob->DomainName,
1267 				      ses->domainName,
1268 				      CIFS_MAX_DOMAINNAME_LEN,
1269 				      *pbuffer, &tmp,
1270 				      nls_cp);
1271 
1272 	cifs_security_buffer_from_str(&sec_blob->UserName,
1273 				      ses->user_name,
1274 				      CIFS_MAX_USERNAME_LEN,
1275 				      *pbuffer, &tmp,
1276 				      nls_cp);
1277 
1278 	cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1279 				      ses->workstation_name,
1280 				      ntlmssp_workstation_name_size(ses),
1281 				      *pbuffer, &tmp,
1282 				      nls_cp);
1283 
1284 	if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
1285 	    (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) &&
1286 	    !calc_seckey(ses)) {
1287 		memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
1288 		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1289 		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
1290 		sec_blob->SessionKey.MaximumLength =
1291 				cpu_to_le16(CIFS_CPHTXT_SIZE);
1292 		tmp += CIFS_CPHTXT_SIZE;
1293 	} else {
1294 		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1295 		sec_blob->SessionKey.Length = 0;
1296 		sec_blob->SessionKey.MaximumLength = 0;
1297 	}
1298 
1299 	*buflen = tmp - *pbuffer;
1300 setup_ntlmv2_ret:
1301 	return rc;
1302 }
1303 
1304 enum securityEnum
1305 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
1306 {
1307 	switch (server->negflavor) {
1308 	case CIFS_NEGFLAVOR_EXTENDED:
1309 		switch (requested) {
1310 		case Kerberos:
1311 		case RawNTLMSSP:
1312 			return requested;
1313 		case Unspecified:
1314 			if (server->sec_ntlmssp &&
1315 			    (global_secflags & CIFSSEC_MAY_NTLMSSP))
1316 				return RawNTLMSSP;
1317 			if ((server->sec_kerberos || server->sec_mskerberos) &&
1318 			    (global_secflags & CIFSSEC_MAY_KRB5))
1319 				return Kerberos;
1320 			fallthrough;
1321 		default:
1322 			return Unspecified;
1323 		}
1324 	case CIFS_NEGFLAVOR_UNENCAP:
1325 		switch (requested) {
1326 		case NTLMv2:
1327 			return requested;
1328 		case Unspecified:
1329 			if (global_secflags & CIFSSEC_MAY_NTLMV2)
1330 				return NTLMv2;
1331 			break;
1332 		default:
1333 			break;
1334 		}
1335 		fallthrough;
1336 	default:
1337 		return Unspecified;
1338 	}
1339 }
1340 
1341 struct sess_data {
1342 	unsigned int xid;
1343 	struct cifs_ses *ses;
1344 	struct TCP_Server_Info *server;
1345 	struct nls_table *nls_cp;
1346 	void (*func)(struct sess_data *);
1347 	int result;
1348 
1349 	/* we will send the SMB in three pieces:
1350 	 * a fixed length beginning part, an optional
1351 	 * SPNEGO blob (which can be zero length), and a
1352 	 * last part which will include the strings
1353 	 * and rest of bcc area. This allows us to avoid
1354 	 * a large buffer 17K allocation
1355 	 */
1356 	int buf0_type;
1357 	struct kvec iov[3];
1358 };
1359 
1360 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
1361 static int
1362 sess_alloc_buffer(struct sess_data *sess_data, int wct)
1363 {
1364 	int rc;
1365 	struct cifs_ses *ses = sess_data->ses;
1366 	struct smb_hdr *smb_buf;
1367 
1368 	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
1369 				  (void **)&smb_buf);
1370 
1371 	if (rc)
1372 		return rc;
1373 
1374 	sess_data->iov[0].iov_base = (char *)smb_buf;
1375 	sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
1376 	/*
1377 	 * This variable will be used to clear the buffer
1378 	 * allocated above in case of any error in the calling function.
1379 	 */
1380 	sess_data->buf0_type = CIFS_SMALL_BUFFER;
1381 
1382 	/* 2000 big enough to fit max user, domain, NOS name etc. */
1383 	sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL);
1384 	if (!sess_data->iov[2].iov_base) {
1385 		rc = -ENOMEM;
1386 		goto out_free_smb_buf;
1387 	}
1388 
1389 	return 0;
1390 
1391 out_free_smb_buf:
1392 	cifs_small_buf_release(smb_buf);
1393 	sess_data->iov[0].iov_base = NULL;
1394 	sess_data->iov[0].iov_len = 0;
1395 	sess_data->buf0_type = CIFS_NO_BUFFER;
1396 	return rc;
1397 }
1398 
1399 static void
1400 sess_free_buffer(struct sess_data *sess_data)
1401 {
1402 	struct kvec *iov = sess_data->iov;
1403 
1404 	/*
1405 	 * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
1406 	 * Note that iov[1] is already freed by caller.
1407 	 */
1408 	if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
1409 		memzero_explicit(iov[0].iov_base, iov[0].iov_len);
1410 
1411 	free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
1412 	sess_data->buf0_type = CIFS_NO_BUFFER;
1413 	kfree_sensitive(iov[2].iov_base);
1414 }
1415 
1416 static int
1417 sess_establish_session(struct sess_data *sess_data)
1418 {
1419 	struct cifs_ses *ses = sess_data->ses;
1420 	struct TCP_Server_Info *server = sess_data->server;
1421 
1422 	cifs_server_lock(server);
1423 	if (!server->session_estab) {
1424 		if (server->sign) {
1425 			server->session_key.response =
1426 				kmemdup(ses->auth_key.response,
1427 				ses->auth_key.len, GFP_KERNEL);
1428 			if (!server->session_key.response) {
1429 				cifs_server_unlock(server);
1430 				return -ENOMEM;
1431 			}
1432 			server->session_key.len =
1433 						ses->auth_key.len;
1434 		}
1435 		server->sequence_number = 0x2;
1436 		server->session_estab = true;
1437 	}
1438 	cifs_server_unlock(server);
1439 
1440 	cifs_dbg(FYI, "CIFS session established successfully\n");
1441 	return 0;
1442 }
1443 
1444 static int
1445 sess_sendreceive(struct sess_data *sess_data)
1446 {
1447 	int rc;
1448 	struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base;
1449 	__u16 count;
1450 	struct kvec rsp_iov = { NULL, 0 };
1451 
1452 	count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len;
1453 	be32_add_cpu(&smb_buf->smb_buf_length, count);
1454 	put_bcc(count, smb_buf);
1455 
1456 	rc = SendReceive2(sess_data->xid, sess_data->ses,
1457 			  sess_data->iov, 3 /* num_iovecs */,
1458 			  &sess_data->buf0_type,
1459 			  CIFS_LOG_ERROR, &rsp_iov);
1460 	cifs_small_buf_release(sess_data->iov[0].iov_base);
1461 	memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec));
1462 
1463 	return rc;
1464 }
1465 
1466 static void
1467 sess_auth_ntlmv2(struct sess_data *sess_data)
1468 {
1469 	int rc = 0;
1470 	struct smb_hdr *smb_buf;
1471 	SESSION_SETUP_ANDX *pSMB;
1472 	char *bcc_ptr;
1473 	struct cifs_ses *ses = sess_data->ses;
1474 	struct TCP_Server_Info *server = sess_data->server;
1475 	__u32 capabilities;
1476 	__u16 bytes_remaining;
1477 
1478 	/* old style NTLM sessionsetup */
1479 	/* wct = 13 */
1480 	rc = sess_alloc_buffer(sess_data, 13);
1481 	if (rc)
1482 		goto out;
1483 
1484 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1485 	bcc_ptr = sess_data->iov[2].iov_base;
1486 	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1487 
1488 	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1489 
1490 	/* LM2 password would be here if we supported it */
1491 	pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
1492 
1493 	if (ses->user_name != NULL) {
1494 		/* calculate nlmv2 response and session key */
1495 		rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
1496 		if (rc) {
1497 			cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
1498 			goto out;
1499 		}
1500 
1501 		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1502 				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1503 		bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1504 
1505 		/* set case sensitive password length after tilen may get
1506 		 * assigned, tilen is 0 otherwise.
1507 		 */
1508 		pSMB->req_no_secext.CaseSensitivePasswordLength =
1509 			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1510 	} else {
1511 		pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
1512 	}
1513 
1514 	if (ses->capabilities & CAP_UNICODE) {
1515 		if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) {
1516 			*bcc_ptr = 0;
1517 			bcc_ptr++;
1518 		}
1519 		unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1520 	} else {
1521 		ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1522 	}
1523 
1524 
1525 	sess_data->iov[2].iov_len = (long) bcc_ptr -
1526 			(long) sess_data->iov[2].iov_base;
1527 
1528 	rc = sess_sendreceive(sess_data);
1529 	if (rc)
1530 		goto out;
1531 
1532 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1533 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1534 
1535 	if (smb_buf->WordCount != 3) {
1536 		rc = -EIO;
1537 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1538 		goto out;
1539 	}
1540 
1541 	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1542 		cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1543 
1544 	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1545 	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1546 
1547 	bytes_remaining = get_bcc(smb_buf);
1548 	bcc_ptr = pByteArea(smb_buf);
1549 
1550 	/* BB check if Unicode and decode strings */
1551 	if (bytes_remaining == 0) {
1552 		/* no string area to decode, do nothing */
1553 	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1554 		/* unicode string area must be word-aligned */
1555 		if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1556 			++bcc_ptr;
1557 			--bytes_remaining;
1558 		}
1559 		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1560 				      sess_data->nls_cp);
1561 	} else {
1562 		decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1563 				    sess_data->nls_cp);
1564 	}
1565 
1566 	rc = sess_establish_session(sess_data);
1567 out:
1568 	sess_data->result = rc;
1569 	sess_data->func = NULL;
1570 	sess_free_buffer(sess_data);
1571 	kfree_sensitive(ses->auth_key.response);
1572 	ses->auth_key.response = NULL;
1573 }
1574 
1575 #ifdef CONFIG_CIFS_UPCALL
1576 static void
1577 sess_auth_kerberos(struct sess_data *sess_data)
1578 {
1579 	int rc = 0;
1580 	struct smb_hdr *smb_buf;
1581 	SESSION_SETUP_ANDX *pSMB;
1582 	char *bcc_ptr;
1583 	struct cifs_ses *ses = sess_data->ses;
1584 	struct TCP_Server_Info *server = sess_data->server;
1585 	__u32 capabilities;
1586 	__u16 bytes_remaining;
1587 	struct key *spnego_key = NULL;
1588 	struct cifs_spnego_msg *msg;
1589 	u16 blob_len;
1590 
1591 	/* extended security */
1592 	/* wct = 12 */
1593 	rc = sess_alloc_buffer(sess_data, 12);
1594 	if (rc)
1595 		goto out;
1596 
1597 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1598 	bcc_ptr = sess_data->iov[2].iov_base;
1599 	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1600 
1601 	spnego_key = cifs_get_spnego_key(ses, server);
1602 	if (IS_ERR(spnego_key)) {
1603 		rc = PTR_ERR(spnego_key);
1604 		spnego_key = NULL;
1605 		goto out;
1606 	}
1607 
1608 	msg = spnego_key->payload.data[0];
1609 	/*
1610 	 * check version field to make sure that cifs.upcall is
1611 	 * sending us a response in an expected form
1612 	 */
1613 	if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
1614 		cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n",
1615 			 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1616 		rc = -EKEYREJECTED;
1617 		goto out_put_spnego_key;
1618 	}
1619 
1620 	kfree_sensitive(ses->auth_key.response);
1621 	ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1622 					 GFP_KERNEL);
1623 	if (!ses->auth_key.response) {
1624 		cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
1625 			 msg->sesskey_len);
1626 		rc = -ENOMEM;
1627 		goto out_put_spnego_key;
1628 	}
1629 	ses->auth_key.len = msg->sesskey_len;
1630 
1631 	pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1632 	capabilities |= CAP_EXTENDED_SECURITY;
1633 	pSMB->req.Capabilities = cpu_to_le32(capabilities);
1634 	sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
1635 	sess_data->iov[1].iov_len = msg->secblob_len;
1636 	pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
1637 
1638 	if (ses->capabilities & CAP_UNICODE) {
1639 		/* unicode strings must be word aligned */
1640 		if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1641 			*bcc_ptr = 0;
1642 			bcc_ptr++;
1643 		}
1644 		unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1645 		unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1646 	} else {
1647 		/* BB: is this right? */
1648 		ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1649 	}
1650 
1651 	sess_data->iov[2].iov_len = (long) bcc_ptr -
1652 			(long) sess_data->iov[2].iov_base;
1653 
1654 	rc = sess_sendreceive(sess_data);
1655 	if (rc)
1656 		goto out_put_spnego_key;
1657 
1658 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1659 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1660 
1661 	if (smb_buf->WordCount != 4) {
1662 		rc = -EIO;
1663 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1664 		goto out_put_spnego_key;
1665 	}
1666 
1667 	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1668 		cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1669 
1670 	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1671 	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1672 
1673 	bytes_remaining = get_bcc(smb_buf);
1674 	bcc_ptr = pByteArea(smb_buf);
1675 
1676 	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1677 	if (blob_len > bytes_remaining) {
1678 		cifs_dbg(VFS, "bad security blob length %d\n",
1679 				blob_len);
1680 		rc = -EINVAL;
1681 		goto out_put_spnego_key;
1682 	}
1683 	bcc_ptr += blob_len;
1684 	bytes_remaining -= blob_len;
1685 
1686 	/* BB check if Unicode and decode strings */
1687 	if (bytes_remaining == 0) {
1688 		/* no string area to decode, do nothing */
1689 	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1690 		/* unicode string area must be word-aligned */
1691 		if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1692 			++bcc_ptr;
1693 			--bytes_remaining;
1694 		}
1695 		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1696 				      sess_data->nls_cp);
1697 	} else {
1698 		decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1699 				    sess_data->nls_cp);
1700 	}
1701 
1702 	rc = sess_establish_session(sess_data);
1703 out_put_spnego_key:
1704 	key_invalidate(spnego_key);
1705 	key_put(spnego_key);
1706 out:
1707 	sess_data->result = rc;
1708 	sess_data->func = NULL;
1709 	sess_free_buffer(sess_data);
1710 	kfree_sensitive(ses->auth_key.response);
1711 	ses->auth_key.response = NULL;
1712 }
1713 
1714 #endif /* ! CONFIG_CIFS_UPCALL */
1715 
1716 /*
1717  * The required kvec buffers have to be allocated before calling this
1718  * function.
1719  */
1720 static int
1721 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1722 {
1723 	SESSION_SETUP_ANDX *pSMB;
1724 	struct cifs_ses *ses = sess_data->ses;
1725 	struct TCP_Server_Info *server = sess_data->server;
1726 	__u32 capabilities;
1727 	char *bcc_ptr;
1728 
1729 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1730 
1731 	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1732 	if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
1733 		cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
1734 		return -ENOSYS;
1735 	}
1736 
1737 	pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1738 	capabilities |= CAP_EXTENDED_SECURITY;
1739 	pSMB->req.Capabilities |= cpu_to_le32(capabilities);
1740 
1741 	bcc_ptr = sess_data->iov[2].iov_base;
1742 	/* unicode strings must be word aligned */
1743 	if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1744 		*bcc_ptr = 0;
1745 		bcc_ptr++;
1746 	}
1747 	unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1748 
1749 	sess_data->iov[2].iov_len = (long) bcc_ptr -
1750 					(long) sess_data->iov[2].iov_base;
1751 
1752 	return 0;
1753 }
1754 
1755 static void
1756 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1757 
1758 static void
1759 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1760 {
1761 	int rc;
1762 	struct smb_hdr *smb_buf;
1763 	SESSION_SETUP_ANDX *pSMB;
1764 	struct cifs_ses *ses = sess_data->ses;
1765 	struct TCP_Server_Info *server = sess_data->server;
1766 	__u16 bytes_remaining;
1767 	char *bcc_ptr;
1768 	unsigned char *ntlmsspblob = NULL;
1769 	u16 blob_len;
1770 
1771 	cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1772 
1773 	/*
1774 	 * if memory allocation is successful, caller of this function
1775 	 * frees it.
1776 	 */
1777 	ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1778 	if (!ses->ntlmssp) {
1779 		rc = -ENOMEM;
1780 		goto out;
1781 	}
1782 	ses->ntlmssp->sesskey_per_smbsess = false;
1783 
1784 	/* wct = 12 */
1785 	rc = sess_alloc_buffer(sess_data, 12);
1786 	if (rc)
1787 		goto out;
1788 
1789 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1790 
1791 	/* Build security blob before we assemble the request */
1792 	rc = build_ntlmssp_negotiate_blob(&ntlmsspblob,
1793 				     &blob_len, ses, server,
1794 				     sess_data->nls_cp);
1795 	if (rc)
1796 		goto out_free_ntlmsspblob;
1797 
1798 	sess_data->iov[1].iov_len = blob_len;
1799 	sess_data->iov[1].iov_base = ntlmsspblob;
1800 	pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1801 
1802 	rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1803 	if (rc)
1804 		goto out_free_ntlmsspblob;
1805 
1806 	rc = sess_sendreceive(sess_data);
1807 
1808 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1809 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1810 
1811 	/* If true, rc here is expected and not an error */
1812 	if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1813 	    smb_buf->Status.CifsError ==
1814 			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1815 		rc = 0;
1816 
1817 	if (rc)
1818 		goto out_free_ntlmsspblob;
1819 
1820 	cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1821 
1822 	if (smb_buf->WordCount != 4) {
1823 		rc = -EIO;
1824 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1825 		goto out_free_ntlmsspblob;
1826 	}
1827 
1828 	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1829 	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1830 
1831 	bytes_remaining = get_bcc(smb_buf);
1832 	bcc_ptr = pByteArea(smb_buf);
1833 
1834 	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1835 	if (blob_len > bytes_remaining) {
1836 		cifs_dbg(VFS, "bad security blob length %d\n",
1837 				blob_len);
1838 		rc = -EINVAL;
1839 		goto out_free_ntlmsspblob;
1840 	}
1841 
1842 	rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1843 
1844 out_free_ntlmsspblob:
1845 	kfree_sensitive(ntlmsspblob);
1846 out:
1847 	sess_free_buffer(sess_data);
1848 
1849 	if (!rc) {
1850 		sess_data->func = sess_auth_rawntlmssp_authenticate;
1851 		return;
1852 	}
1853 
1854 	/* Else error. Cleanup */
1855 	kfree_sensitive(ses->auth_key.response);
1856 	ses->auth_key.response = NULL;
1857 	kfree_sensitive(ses->ntlmssp);
1858 	ses->ntlmssp = NULL;
1859 
1860 	sess_data->func = NULL;
1861 	sess_data->result = rc;
1862 }
1863 
1864 static void
1865 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1866 {
1867 	int rc;
1868 	struct smb_hdr *smb_buf;
1869 	SESSION_SETUP_ANDX *pSMB;
1870 	struct cifs_ses *ses = sess_data->ses;
1871 	struct TCP_Server_Info *server = sess_data->server;
1872 	__u16 bytes_remaining;
1873 	char *bcc_ptr;
1874 	unsigned char *ntlmsspblob = NULL;
1875 	u16 blob_len;
1876 
1877 	cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1878 
1879 	/* wct = 12 */
1880 	rc = sess_alloc_buffer(sess_data, 12);
1881 	if (rc)
1882 		goto out;
1883 
1884 	/* Build security blob before we assemble the request */
1885 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1886 	smb_buf = (struct smb_hdr *)pSMB;
1887 	rc = build_ntlmssp_auth_blob(&ntlmsspblob,
1888 					&blob_len, ses, server,
1889 					sess_data->nls_cp);
1890 	if (rc)
1891 		goto out_free_ntlmsspblob;
1892 	sess_data->iov[1].iov_len = blob_len;
1893 	sess_data->iov[1].iov_base = ntlmsspblob;
1894 	pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1895 	/*
1896 	 * Make sure that we tell the server that we are using
1897 	 * the uid that it just gave us back on the response
1898 	 * (challenge)
1899 	 */
1900 	smb_buf->Uid = ses->Suid;
1901 
1902 	rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1903 	if (rc)
1904 		goto out_free_ntlmsspblob;
1905 
1906 	rc = sess_sendreceive(sess_data);
1907 	if (rc)
1908 		goto out_free_ntlmsspblob;
1909 
1910 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1911 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1912 	if (smb_buf->WordCount != 4) {
1913 		rc = -EIO;
1914 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1915 		goto out_free_ntlmsspblob;
1916 	}
1917 
1918 	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1919 		cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1920 
1921 	if (ses->Suid != smb_buf->Uid) {
1922 		ses->Suid = smb_buf->Uid;
1923 		cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1924 	}
1925 
1926 	bytes_remaining = get_bcc(smb_buf);
1927 	bcc_ptr = pByteArea(smb_buf);
1928 	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1929 	if (blob_len > bytes_remaining) {
1930 		cifs_dbg(VFS, "bad security blob length %d\n",
1931 				blob_len);
1932 		rc = -EINVAL;
1933 		goto out_free_ntlmsspblob;
1934 	}
1935 	bcc_ptr += blob_len;
1936 	bytes_remaining -= blob_len;
1937 
1938 
1939 	/* BB check if Unicode and decode strings */
1940 	if (bytes_remaining == 0) {
1941 		/* no string area to decode, do nothing */
1942 	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1943 		/* unicode string area must be word-aligned */
1944 		if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1945 			++bcc_ptr;
1946 			--bytes_remaining;
1947 		}
1948 		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1949 				      sess_data->nls_cp);
1950 	} else {
1951 		decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1952 				    sess_data->nls_cp);
1953 	}
1954 
1955 out_free_ntlmsspblob:
1956 	kfree_sensitive(ntlmsspblob);
1957 out:
1958 	sess_free_buffer(sess_data);
1959 
1960 	if (!rc)
1961 		rc = sess_establish_session(sess_data);
1962 
1963 	/* Cleanup */
1964 	kfree_sensitive(ses->auth_key.response);
1965 	ses->auth_key.response = NULL;
1966 	kfree_sensitive(ses->ntlmssp);
1967 	ses->ntlmssp = NULL;
1968 
1969 	sess_data->func = NULL;
1970 	sess_data->result = rc;
1971 }
1972 
1973 static int select_sec(struct sess_data *sess_data)
1974 {
1975 	int type;
1976 	struct cifs_ses *ses = sess_data->ses;
1977 	struct TCP_Server_Info *server = sess_data->server;
1978 
1979 	type = cifs_select_sectype(server, ses->sectype);
1980 	cifs_dbg(FYI, "sess setup type %d\n", type);
1981 	if (type == Unspecified) {
1982 		cifs_dbg(VFS, "Unable to select appropriate authentication method!\n");
1983 		return -EINVAL;
1984 	}
1985 
1986 	switch (type) {
1987 	case NTLMv2:
1988 		sess_data->func = sess_auth_ntlmv2;
1989 		break;
1990 	case Kerberos:
1991 #ifdef CONFIG_CIFS_UPCALL
1992 		sess_data->func = sess_auth_kerberos;
1993 		break;
1994 #else
1995 		cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1996 		return -ENOSYS;
1997 #endif /* CONFIG_CIFS_UPCALL */
1998 	case RawNTLMSSP:
1999 		sess_data->func = sess_auth_rawntlmssp_negotiate;
2000 		break;
2001 	default:
2002 		cifs_dbg(VFS, "secType %d not supported!\n", type);
2003 		return -ENOSYS;
2004 	}
2005 
2006 	return 0;
2007 }
2008 
2009 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
2010 		   struct TCP_Server_Info *server,
2011 		   const struct nls_table *nls_cp)
2012 {
2013 	int rc = 0;
2014 	struct sess_data *sess_data;
2015 
2016 	if (ses == NULL) {
2017 		WARN(1, "%s: ses == NULL!", __func__);
2018 		return -EINVAL;
2019 	}
2020 
2021 	sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
2022 	if (!sess_data)
2023 		return -ENOMEM;
2024 
2025 	sess_data->xid = xid;
2026 	sess_data->ses = ses;
2027 	sess_data->server = server;
2028 	sess_data->buf0_type = CIFS_NO_BUFFER;
2029 	sess_data->nls_cp = (struct nls_table *) nls_cp;
2030 
2031 	rc = select_sec(sess_data);
2032 	if (rc)
2033 		goto out;
2034 
2035 	while (sess_data->func)
2036 		sess_data->func(sess_data);
2037 
2038 	/* Store result before we free sess_data */
2039 	rc = sess_data->result;
2040 
2041 out:
2042 	kfree_sensitive(sess_data);
2043 	return rc;
2044 }
2045 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
2046