1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11 #include "cifspdu.h" 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "cifs_unicode.h" 15 #include "cifs_debug.h" 16 #include "ntlmssp.h" 17 #include "nterr.h" 18 #include <linux/utsname.h> 19 #include <linux/slab.h> 20 #include <linux/version.h> 21 #include "cifsfs.h" 22 #include "cifs_spnego.h" 23 #include "smb2proto.h" 24 #include "fs_context.h" 25 26 static int 27 cifs_ses_add_channel(struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30 bool 31 is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33 { 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53 } 54 55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56 { 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68 } 69 70 /* channel helper functions. assumed that chan_lock is held by caller. */ 71 72 int 73 cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75 { 76 unsigned int i; 77 78 for (i = 0; i < ses->chan_count; i++) { 79 if (ses->chans[i].server == server) 80 return i; 81 } 82 83 /* If we didn't find the channel, it is likely a bug */ 84 if (server) 85 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 86 server->conn_id); 87 WARN_ON(1); 88 return CIFS_INVAL_CHAN_INDEX; 89 } 90 91 void 92 cifs_chan_set_in_reconnect(struct cifs_ses *ses, 93 struct TCP_Server_Info *server) 94 { 95 int chan_index = cifs_ses_get_chan_index(ses, server); 96 97 if (chan_index == CIFS_INVAL_CHAN_INDEX) 98 return; 99 100 ses->chans[chan_index].in_reconnect = true; 101 } 102 103 void 104 cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 105 struct TCP_Server_Info *server) 106 { 107 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 108 109 if (chan_index == CIFS_INVAL_CHAN_INDEX) 110 return; 111 112 ses->chans[chan_index].in_reconnect = false; 113 } 114 115 bool 116 cifs_chan_in_reconnect(struct cifs_ses *ses, 117 struct TCP_Server_Info *server) 118 { 119 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 120 121 if (chan_index == CIFS_INVAL_CHAN_INDEX) 122 return true; /* err on the safer side */ 123 124 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 125 } 126 127 void 128 cifs_chan_set_need_reconnect(struct cifs_ses *ses, 129 struct TCP_Server_Info *server) 130 { 131 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 132 133 if (chan_index == CIFS_INVAL_CHAN_INDEX) 134 return; 135 136 set_bit(chan_index, &ses->chans_need_reconnect); 137 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 138 chan_index, ses->chans_need_reconnect); 139 } 140 141 void 142 cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 143 struct TCP_Server_Info *server) 144 { 145 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 146 147 if (chan_index == CIFS_INVAL_CHAN_INDEX) 148 return; 149 150 clear_bit(chan_index, &ses->chans_need_reconnect); 151 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 152 chan_index, ses->chans_need_reconnect); 153 } 154 155 bool 156 cifs_chan_needs_reconnect(struct cifs_ses *ses, 157 struct TCP_Server_Info *server) 158 { 159 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 160 161 if (chan_index == CIFS_INVAL_CHAN_INDEX) 162 return true; /* err on the safer side */ 163 164 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 165 } 166 167 bool 168 cifs_chan_is_iface_active(struct cifs_ses *ses, 169 struct TCP_Server_Info *server) 170 { 171 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 172 173 if (chan_index == CIFS_INVAL_CHAN_INDEX) 174 return true; /* err on the safer side */ 175 176 return ses->chans[chan_index].iface && 177 ses->chans[chan_index].iface->is_active; 178 } 179 180 /* returns number of channels added */ 181 int cifs_try_adding_channels(struct cifs_ses *ses) 182 { 183 struct TCP_Server_Info *server = ses->server; 184 int old_chan_count, new_chan_count; 185 int left; 186 int rc = 0; 187 int tries = 0; 188 size_t iface_weight = 0, iface_min_speed = 0; 189 struct cifs_server_iface *iface = NULL, *niface = NULL; 190 struct cifs_server_iface *last_iface = NULL; 191 192 spin_lock(&ses->chan_lock); 193 194 new_chan_count = old_chan_count = ses->chan_count; 195 left = ses->chan_max - ses->chan_count; 196 197 if (left <= 0) { 198 spin_unlock(&ses->chan_lock); 199 cifs_dbg(FYI, 200 "ses already at max_channels (%zu), nothing to open\n", 201 ses->chan_max); 202 return 0; 203 } 204 205 if (server->dialect < SMB30_PROT_ID) { 206 spin_unlock(&ses->chan_lock); 207 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 208 return 0; 209 } 210 211 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 212 spin_unlock(&ses->chan_lock); 213 cifs_server_dbg(VFS, "no multichannel support\n"); 214 return 0; 215 } 216 spin_unlock(&ses->chan_lock); 217 218 while (left > 0) { 219 220 tries++; 221 if (tries > 3*ses->chan_max) { 222 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n", 223 left); 224 break; 225 } 226 227 spin_lock(&ses->iface_lock); 228 if (!ses->iface_count) { 229 spin_unlock(&ses->iface_lock); 230 cifs_dbg(VFS, "server %s does not advertise interfaces\n", 231 ses->server->hostname); 232 break; 233 } 234 235 if (!iface) 236 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 237 iface_head); 238 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 239 iface_head); 240 iface_min_speed = last_iface->speed; 241 242 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 243 iface_head) { 244 /* do not mix rdma and non-rdma interfaces */ 245 if (iface->rdma_capable != ses->server->rdma) 246 continue; 247 248 /* skip ifaces that are unusable */ 249 if (!iface->is_active || 250 (is_ses_using_iface(ses, iface) && 251 !iface->rss_capable)) 252 continue; 253 254 /* check if we already allocated enough channels */ 255 iface_weight = iface->speed / iface_min_speed; 256 257 if (iface->weight_fulfilled >= iface_weight) 258 continue; 259 260 /* take ref before unlock */ 261 kref_get(&iface->refcount); 262 263 spin_unlock(&ses->iface_lock); 264 rc = cifs_ses_add_channel(ses, iface); 265 spin_lock(&ses->iface_lock); 266 267 if (rc) { 268 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 269 &iface->sockaddr, 270 rc); 271 kref_put(&iface->refcount, release_iface); 272 continue; 273 } 274 275 iface->num_channels++; 276 iface->weight_fulfilled++; 277 cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n", 278 &iface->sockaddr); 279 break; 280 } 281 282 /* reached end of list. reset weight_fulfilled and start over */ 283 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 284 list_for_each_entry(iface, &ses->iface_list, iface_head) 285 iface->weight_fulfilled = 0; 286 spin_unlock(&ses->iface_lock); 287 iface = NULL; 288 continue; 289 } 290 spin_unlock(&ses->iface_lock); 291 292 left--; 293 new_chan_count++; 294 } 295 296 return new_chan_count - old_chan_count; 297 } 298 299 /* 300 * called when multichannel is disabled by the server. 301 * this always gets called from smb2_reconnect 302 * and cannot get called in parallel threads. 303 */ 304 void 305 cifs_disable_secondary_channels(struct cifs_ses *ses) 306 { 307 int i, chan_count; 308 struct TCP_Server_Info *server; 309 struct cifs_server_iface *iface; 310 311 spin_lock(&ses->chan_lock); 312 chan_count = ses->chan_count; 313 if (chan_count == 1) 314 goto done; 315 316 ses->chan_count = 1; 317 318 /* for all secondary channels reset the need reconnect bit */ 319 ses->chans_need_reconnect &= 1; 320 321 for (i = 1; i < chan_count; i++) { 322 iface = ses->chans[i].iface; 323 server = ses->chans[i].server; 324 325 /* 326 * remove these references first, since we need to unlock 327 * the chan_lock here, since iface_lock is a higher lock 328 */ 329 ses->chans[i].iface = NULL; 330 ses->chans[i].server = NULL; 331 spin_unlock(&ses->chan_lock); 332 333 if (iface) { 334 spin_lock(&ses->iface_lock); 335 iface->num_channels--; 336 if (iface->weight_fulfilled) 337 iface->weight_fulfilled--; 338 kref_put(&iface->refcount, release_iface); 339 spin_unlock(&ses->iface_lock); 340 } 341 342 if (server) { 343 if (!server->terminate) { 344 server->terminate = true; 345 cifs_signal_cifsd_for_reconnect(server, false); 346 } 347 cifs_put_tcp_session(server, false); 348 } 349 350 spin_lock(&ses->chan_lock); 351 } 352 353 done: 354 spin_unlock(&ses->chan_lock); 355 } 356 357 /* 358 * update the iface for the channel if necessary. 359 * will return 0 when iface is updated, 1 if removed, 2 otherwise 360 * Must be called with chan_lock held. 361 */ 362 int 363 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 364 { 365 unsigned int chan_index; 366 size_t iface_weight = 0, iface_min_speed = 0; 367 struct cifs_server_iface *iface = NULL; 368 struct cifs_server_iface *old_iface = NULL; 369 struct cifs_server_iface *last_iface = NULL; 370 struct sockaddr_storage ss; 371 int rc = 0; 372 373 spin_lock(&ses->chan_lock); 374 chan_index = cifs_ses_get_chan_index(ses, server); 375 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 376 spin_unlock(&ses->chan_lock); 377 return 0; 378 } 379 380 if (ses->chans[chan_index].iface) { 381 old_iface = ses->chans[chan_index].iface; 382 if (old_iface->is_active) { 383 spin_unlock(&ses->chan_lock); 384 return 1; 385 } 386 } 387 spin_unlock(&ses->chan_lock); 388 389 spin_lock(&server->srv_lock); 390 ss = server->dstaddr; 391 spin_unlock(&server->srv_lock); 392 393 spin_lock(&ses->iface_lock); 394 if (!ses->iface_count) { 395 spin_unlock(&ses->iface_lock); 396 cifs_dbg(VFS, "server %s does not advertise interfaces\n", ses->server->hostname); 397 return 0; 398 } 399 400 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, 401 iface_head); 402 iface_min_speed = last_iface->speed; 403 404 /* then look for a new one */ 405 list_for_each_entry(iface, &ses->iface_list, iface_head) { 406 if (!chan_index) { 407 /* if we're trying to get the updated iface for primary channel */ 408 if (!cifs_match_ipaddr((struct sockaddr *) &ss, 409 (struct sockaddr *) &iface->sockaddr)) 410 continue; 411 412 kref_get(&iface->refcount); 413 break; 414 } 415 416 /* do not mix rdma and non-rdma interfaces */ 417 if (iface->rdma_capable != server->rdma) 418 continue; 419 420 if (!iface->is_active || 421 (is_ses_using_iface(ses, iface) && 422 !iface->rss_capable)) { 423 continue; 424 } 425 426 /* check if we already allocated enough channels */ 427 iface_weight = iface->speed / iface_min_speed; 428 429 if (iface->weight_fulfilled >= iface_weight) 430 continue; 431 432 kref_get(&iface->refcount); 433 break; 434 } 435 436 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { 437 rc = 1; 438 iface = NULL; 439 cifs_dbg(FYI, "unable to find a suitable iface\n"); 440 } 441 442 if (!chan_index && !iface) { 443 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n", 444 &ss); 445 spin_unlock(&ses->iface_lock); 446 return 0; 447 } 448 449 /* now drop the ref to the current iface */ 450 if (old_iface && iface) { 451 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 452 &old_iface->sockaddr, 453 &iface->sockaddr); 454 455 old_iface->num_channels--; 456 if (old_iface->weight_fulfilled) 457 old_iface->weight_fulfilled--; 458 iface->num_channels++; 459 iface->weight_fulfilled++; 460 461 kref_put(&old_iface->refcount, release_iface); 462 } else if (old_iface) { 463 cifs_dbg(FYI, "releasing ref to iface: %pIS\n", 464 &old_iface->sockaddr); 465 466 old_iface->num_channels--; 467 if (old_iface->weight_fulfilled) 468 old_iface->weight_fulfilled--; 469 470 kref_put(&old_iface->refcount, release_iface); 471 } else if (!chan_index) { 472 /* special case: update interface for primary channel */ 473 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n", 474 &iface->sockaddr); 475 iface->num_channels++; 476 iface->weight_fulfilled++; 477 } else { 478 WARN_ON(!iface); 479 cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr); 480 } 481 spin_unlock(&ses->iface_lock); 482 483 spin_lock(&ses->chan_lock); 484 chan_index = cifs_ses_get_chan_index(ses, server); 485 if (chan_index == CIFS_INVAL_CHAN_INDEX) { 486 spin_unlock(&ses->chan_lock); 487 return 0; 488 } 489 490 ses->chans[chan_index].iface = iface; 491 492 /* No iface is found. if secondary chan, drop connection */ 493 if (!iface && SERVER_IS_CHAN(server)) 494 ses->chans[chan_index].server = NULL; 495 496 spin_unlock(&ses->chan_lock); 497 498 if (!iface && SERVER_IS_CHAN(server)) 499 cifs_put_tcp_session(server, false); 500 501 return rc; 502 } 503 504 /* 505 * If server is a channel of ses, return the corresponding enclosing 506 * cifs_chan otherwise return NULL. 507 */ 508 struct cifs_chan * 509 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 510 { 511 int i; 512 513 spin_lock(&ses->chan_lock); 514 for (i = 0; i < ses->chan_count; i++) { 515 if (ses->chans[i].server == server) { 516 spin_unlock(&ses->chan_lock); 517 return &ses->chans[i]; 518 } 519 } 520 spin_unlock(&ses->chan_lock); 521 return NULL; 522 } 523 524 static int 525 cifs_ses_add_channel(struct cifs_ses *ses, 526 struct cifs_server_iface *iface) 527 { 528 struct TCP_Server_Info *chan_server; 529 struct cifs_chan *chan; 530 struct smb3_fs_context *ctx; 531 static const char unc_fmt[] = "\\%s\\foo"; 532 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 533 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 534 size_t len; 535 int rc; 536 unsigned int xid = get_xid(); 537 538 if (iface->sockaddr.ss_family == AF_INET) 539 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 540 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 541 &ipv4->sin_addr); 542 else 543 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 544 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 545 &ipv6->sin6_addr); 546 547 /* 548 * Setup a ctx with mostly the same info as the existing 549 * session and overwrite it with the requested iface data. 550 * 551 * We need to setup at least the fields used for negprot and 552 * sesssetup. 553 * 554 * We only need the ctx here, so we can reuse memory from 555 * the session and server without caring about memory 556 * management. 557 */ 558 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 559 if (!ctx) { 560 rc = -ENOMEM; 561 goto out_free_xid; 562 } 563 564 /* Always make new connection for now (TODO?) */ 565 ctx->nosharesock = true; 566 567 /* Auth */ 568 ctx->domainauto = ses->domainAuto; 569 ctx->domainname = ses->domainName; 570 571 /* no hostname for extra channels */ 572 ctx->server_hostname = ""; 573 574 ctx->username = ses->user_name; 575 ctx->password = ses->password; 576 ctx->sectype = ses->sectype; 577 ctx->sign = ses->sign; 578 579 /* UNC and paths */ 580 /* XXX: Use ses->server->hostname? */ 581 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL; 582 ctx->UNC = kzalloc(len, GFP_KERNEL); 583 if (!ctx->UNC) { 584 rc = -ENOMEM; 585 goto out_free_ctx; 586 } 587 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr); 588 ctx->prepath = ""; 589 590 /* Reuse same version as master connection */ 591 ctx->vals = ses->server->vals; 592 ctx->ops = ses->server->ops; 593 594 ctx->noblocksnd = ses->server->noblocksnd; 595 ctx->noautotune = ses->server->noautotune; 596 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; 597 ctx->echo_interval = ses->server->echo_interval / HZ; 598 ctx->max_credits = ses->server->max_credits; 599 600 /* 601 * This will be used for encoding/decoding user/domain/pw 602 * during sess setup auth. 603 */ 604 ctx->local_nls = ses->local_nls; 605 606 /* Use RDMA if possible */ 607 ctx->rdma = iface->rdma_capable; 608 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr)); 609 610 /* reuse master con client guid */ 611 memcpy(&ctx->client_guid, ses->server->client_guid, 612 sizeof(ctx->client_guid)); 613 ctx->use_client_guid = true; 614 615 chan_server = cifs_get_tcp_session(ctx, ses->server); 616 617 spin_lock(&ses->chan_lock); 618 chan = &ses->chans[ses->chan_count]; 619 chan->server = chan_server; 620 if (IS_ERR(chan->server)) { 621 rc = PTR_ERR(chan->server); 622 chan->server = NULL; 623 spin_unlock(&ses->chan_lock); 624 goto out; 625 } 626 chan->iface = iface; 627 ses->chan_count++; 628 atomic_set(&ses->chan_seq, 0); 629 630 /* Mark this channel as needing connect/setup */ 631 cifs_chan_set_need_reconnect(ses, chan->server); 632 633 spin_unlock(&ses->chan_lock); 634 635 mutex_lock(&ses->session_mutex); 636 /* 637 * We need to allocate the server crypto now as we will need 638 * to sign packets before we generate the channel signing key 639 * (we sign with the session key) 640 */ 641 rc = smb311_crypto_shash_allocate(chan->server); 642 if (rc) { 643 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 644 mutex_unlock(&ses->session_mutex); 645 goto out; 646 } 647 648 rc = cifs_negotiate_protocol(xid, ses, chan->server); 649 if (!rc) 650 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls); 651 652 mutex_unlock(&ses->session_mutex); 653 654 out: 655 if (rc && chan->server) { 656 cifs_put_tcp_session(chan->server, 0); 657 658 spin_lock(&ses->chan_lock); 659 660 /* we rely on all bits beyond chan_count to be clear */ 661 cifs_chan_clear_need_reconnect(ses, chan->server); 662 ses->chan_count--; 663 /* 664 * chan_count should never reach 0 as at least the primary 665 * channel is always allocated 666 */ 667 WARN_ON(ses->chan_count < 1); 668 spin_unlock(&ses->chan_lock); 669 } 670 671 kfree(ctx->UNC); 672 out_free_ctx: 673 kfree(ctx); 674 out_free_xid: 675 free_xid(xid); 676 return rc; 677 } 678 679 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 680 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 681 struct TCP_Server_Info *server, 682 SESSION_SETUP_ANDX *pSMB) 683 { 684 __u32 capabilities = 0; 685 686 /* init fields common to all four types of SessSetup */ 687 /* Note that offsets for first seven fields in req struct are same */ 688 /* in CIFS Specs so does not matter which of 3 forms of struct */ 689 /* that we use in next few lines */ 690 /* Note that header is initialized to zero in header_assemble */ 691 pSMB->req.AndXCommand = 0xFF; 692 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 693 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 694 USHRT_MAX)); 695 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 696 pSMB->req.VcNumber = cpu_to_le16(1); 697 698 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 699 700 /* BB verify whether signing required on neg or just auth frame (and NTLM case) */ 701 702 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 703 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 704 705 if (server->sign) 706 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 707 708 if (ses->capabilities & CAP_UNICODE) { 709 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 710 capabilities |= CAP_UNICODE; 711 } 712 if (ses->capabilities & CAP_STATUS32) { 713 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 714 capabilities |= CAP_STATUS32; 715 } 716 if (ses->capabilities & CAP_DFS) { 717 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 718 capabilities |= CAP_DFS; 719 } 720 if (ses->capabilities & CAP_UNIX) 721 capabilities |= CAP_UNIX; 722 723 return capabilities; 724 } 725 726 static void 727 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 728 { 729 char *bcc_ptr = *pbcc_area; 730 int bytes_ret = 0; 731 732 /* Copy OS version */ 733 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 734 nls_cp); 735 bcc_ptr += 2 * bytes_ret; 736 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 737 32, nls_cp); 738 bcc_ptr += 2 * bytes_ret; 739 bcc_ptr += 2; /* trailing null */ 740 741 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 742 32, nls_cp); 743 bcc_ptr += 2 * bytes_ret; 744 bcc_ptr += 2; /* trailing null */ 745 746 *pbcc_area = bcc_ptr; 747 } 748 749 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 750 const struct nls_table *nls_cp) 751 { 752 char *bcc_ptr = *pbcc_area; 753 int bytes_ret = 0; 754 755 /* copy domain */ 756 if (ses->domainName == NULL) { 757 /* 758 * Sending null domain better than using a bogus domain name (as 759 * we did briefly in 2.6.18) since server will use its default 760 */ 761 *bcc_ptr = 0; 762 *(bcc_ptr+1) = 0; 763 bytes_ret = 0; 764 } else 765 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 766 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 767 bcc_ptr += 2 * bytes_ret; 768 bcc_ptr += 2; /* account for null terminator */ 769 770 *pbcc_area = bcc_ptr; 771 } 772 773 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 774 const struct nls_table *nls_cp) 775 { 776 char *bcc_ptr = *pbcc_area; 777 int bytes_ret = 0; 778 779 /* BB FIXME add check that strings less than 335 or will need to send as arrays */ 780 781 /* copy user */ 782 if (ses->user_name == NULL) { 783 /* null user mount */ 784 *bcc_ptr = 0; 785 *(bcc_ptr+1) = 0; 786 } else { 787 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 788 CIFS_MAX_USERNAME_LEN, nls_cp); 789 } 790 bcc_ptr += 2 * bytes_ret; 791 bcc_ptr += 2; /* account for null termination */ 792 793 unicode_domain_string(&bcc_ptr, ses, nls_cp); 794 unicode_oslm_strings(&bcc_ptr, nls_cp); 795 796 *pbcc_area = bcc_ptr; 797 } 798 799 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 800 const struct nls_table *nls_cp) 801 { 802 char *bcc_ptr = *pbcc_area; 803 int len; 804 805 /* copy user */ 806 /* BB what about null user mounts - check that we do this BB */ 807 /* copy user */ 808 if (ses->user_name != NULL) { 809 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 810 if (WARN_ON_ONCE(len < 0)) 811 len = CIFS_MAX_USERNAME_LEN - 1; 812 bcc_ptr += len; 813 } 814 /* else null user mount */ 815 *bcc_ptr = 0; 816 bcc_ptr++; /* account for null termination */ 817 818 /* copy domain */ 819 if (ses->domainName != NULL) { 820 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 821 if (WARN_ON_ONCE(len < 0)) 822 len = CIFS_MAX_DOMAINNAME_LEN - 1; 823 bcc_ptr += len; 824 } /* else we send a null domain name so server will default to its own domain */ 825 *bcc_ptr = 0; 826 bcc_ptr++; 827 828 /* BB check for overflow here */ 829 830 strcpy(bcc_ptr, "Linux version "); 831 bcc_ptr += strlen("Linux version "); 832 strcpy(bcc_ptr, init_utsname()->release); 833 bcc_ptr += strlen(init_utsname()->release) + 1; 834 835 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 836 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 837 838 *pbcc_area = bcc_ptr; 839 } 840 841 static void 842 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 843 const struct nls_table *nls_cp) 844 { 845 int len; 846 char *data = *pbcc_area; 847 848 cifs_dbg(FYI, "bleft %d\n", bleft); 849 850 kfree(ses->serverOS); 851 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 852 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 853 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 854 data += len; 855 bleft -= len; 856 if (bleft <= 0) 857 return; 858 859 kfree(ses->serverNOS); 860 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 861 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 862 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 863 data += len; 864 bleft -= len; 865 if (bleft <= 0) 866 return; 867 868 kfree(ses->serverDomain); 869 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 870 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 871 872 return; 873 } 874 875 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 876 struct cifs_ses *ses, 877 const struct nls_table *nls_cp) 878 { 879 int len; 880 char *bcc_ptr = *pbcc_area; 881 882 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 883 884 len = strnlen(bcc_ptr, bleft); 885 if (len >= bleft) 886 return; 887 888 kfree(ses->serverOS); 889 890 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 891 if (ses->serverOS) { 892 memcpy(ses->serverOS, bcc_ptr, len); 893 ses->serverOS[len] = 0; 894 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 895 cifs_dbg(FYI, "OS/2 server\n"); 896 } 897 898 bcc_ptr += len + 1; 899 bleft -= len + 1; 900 901 len = strnlen(bcc_ptr, bleft); 902 if (len >= bleft) 903 return; 904 905 kfree(ses->serverNOS); 906 907 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 908 if (ses->serverNOS) { 909 memcpy(ses->serverNOS, bcc_ptr, len); 910 ses->serverNOS[len] = 0; 911 } 912 913 bcc_ptr += len + 1; 914 bleft -= len + 1; 915 916 len = strnlen(bcc_ptr, bleft); 917 if (len > bleft) 918 return; 919 920 /* 921 * No domain field in LANMAN case. Domain is 922 * returned by old servers in the SMB negprot response 923 * 924 * BB For newer servers which do not support Unicode, 925 * but thus do return domain here, we could add parsing 926 * for it later, but it is not very important 927 */ 928 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 929 } 930 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 931 932 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 933 struct cifs_ses *ses) 934 { 935 unsigned int tioffset; /* challenge message target info area */ 936 unsigned int tilen; /* challenge message target info area length */ 937 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 938 __u32 server_flags; 939 940 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 941 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 942 return -EINVAL; 943 } 944 945 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 946 cifs_dbg(VFS, "blob signature incorrect %s\n", 947 pblob->Signature); 948 return -EINVAL; 949 } 950 if (pblob->MessageType != NtLmChallenge) { 951 cifs_dbg(VFS, "Incorrect message type %d\n", 952 pblob->MessageType); 953 return -EINVAL; 954 } 955 956 server_flags = le32_to_cpu(pblob->NegotiateFlags); 957 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 958 ses->ntlmssp->client_flags, server_flags); 959 960 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 961 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 962 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 963 __func__); 964 return -EINVAL; 965 } 966 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 967 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 968 return -EINVAL; 969 } 970 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 971 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 972 __func__); 973 return -EOPNOTSUPP; 974 } 975 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 976 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 977 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 978 __func__); 979 980 ses->ntlmssp->server_flags = server_flags; 981 982 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 983 /* 984 * In particular we can examine sign flags 985 * 986 * BB spec says that if AvId field of MsvAvTimestamp is populated then 987 * we must set the MIC field of the AUTHENTICATE_MESSAGE 988 */ 989 990 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 991 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 992 if (tioffset > blob_len || tioffset + tilen > blob_len) { 993 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 994 tioffset, tilen); 995 return -EINVAL; 996 } 997 if (tilen) { 998 kfree_sensitive(ses->auth_key.response); 999 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 1000 GFP_KERNEL); 1001 if (!ses->auth_key.response) { 1002 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 1003 return -ENOMEM; 1004 } 1005 ses->auth_key.len = tilen; 1006 } 1007 1008 return 0; 1009 } 1010 1011 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 1012 { 1013 int sz = base_size + ses->auth_key.len 1014 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 1015 1016 if (ses->domainName) 1017 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 1018 else 1019 sz += sizeof(__le16); 1020 1021 if (ses->user_name) 1022 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 1023 else 1024 sz += sizeof(__le16); 1025 1026 if (ses->workstation_name[0]) 1027 sz += sizeof(__le16) * strnlen(ses->workstation_name, 1028 ntlmssp_workstation_name_size(ses)); 1029 else 1030 sz += sizeof(__le16); 1031 1032 return sz; 1033 } 1034 1035 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 1036 char *str_value, 1037 int str_length, 1038 unsigned char *pstart, 1039 unsigned char **pcur, 1040 const struct nls_table *nls_cp) 1041 { 1042 unsigned char *tmp = pstart; 1043 int len; 1044 1045 if (!pbuf) 1046 return; 1047 1048 if (!pcur) 1049 pcur = &tmp; 1050 1051 if (!str_value) { 1052 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1053 pbuf->Length = 0; 1054 pbuf->MaximumLength = 0; 1055 *pcur += sizeof(__le16); 1056 } else { 1057 len = cifs_strtoUTF16((__le16 *)*pcur, 1058 str_value, 1059 str_length, 1060 nls_cp); 1061 len *= sizeof(__le16); 1062 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 1063 pbuf->Length = cpu_to_le16(len); 1064 pbuf->MaximumLength = cpu_to_le16(len); 1065 *pcur += len; 1066 } 1067 } 1068 1069 /* BB Move to ntlmssp.c eventually */ 1070 1071 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 1072 u16 *buflen, 1073 struct cifs_ses *ses, 1074 struct TCP_Server_Info *server, 1075 const struct nls_table *nls_cp) 1076 { 1077 int rc = 0; 1078 NEGOTIATE_MESSAGE *sec_blob; 1079 __u32 flags; 1080 unsigned char *tmp; 1081 int len; 1082 1083 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 1084 *pbuffer = kmalloc(len, GFP_KERNEL); 1085 if (!*pbuffer) { 1086 rc = -ENOMEM; 1087 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1088 *buflen = 0; 1089 goto setup_ntlm_neg_ret; 1090 } 1091 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 1092 1093 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 1094 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1095 sec_blob->MessageType = NtLmNegotiate; 1096 1097 /* BB is NTLMV2 session security format easier to use here? */ 1098 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1099 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1100 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1101 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1102 NTLMSSP_NEGOTIATE_SIGN; 1103 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1104 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1105 1106 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 1107 ses->ntlmssp->client_flags = flags; 1108 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1109 1110 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1111 cifs_security_buffer_from_str(&sec_blob->DomainName, 1112 NULL, 1113 CIFS_MAX_DOMAINNAME_LEN, 1114 *pbuffer, &tmp, 1115 nls_cp); 1116 1117 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1118 NULL, 1119 CIFS_MAX_WORKSTATION_LEN, 1120 *pbuffer, &tmp, 1121 nls_cp); 1122 1123 *buflen = tmp - *pbuffer; 1124 setup_ntlm_neg_ret: 1125 return rc; 1126 } 1127 1128 /* 1129 * Build ntlmssp blob with additional fields, such as version, 1130 * supported by modern servers. For safety limit to SMB3 or later 1131 * See notes in MS-NLMP Section 2.2.2.1 e.g. 1132 */ 1133 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 1134 u16 *buflen, 1135 struct cifs_ses *ses, 1136 struct TCP_Server_Info *server, 1137 const struct nls_table *nls_cp) 1138 { 1139 int rc = 0; 1140 struct negotiate_message *sec_blob; 1141 __u32 flags; 1142 unsigned char *tmp; 1143 int len; 1144 1145 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 1146 *pbuffer = kmalloc(len, GFP_KERNEL); 1147 if (!*pbuffer) { 1148 rc = -ENOMEM; 1149 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1150 *buflen = 0; 1151 goto setup_ntlm_smb3_neg_ret; 1152 } 1153 sec_blob = (struct negotiate_message *)*pbuffer; 1154 1155 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 1156 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1157 sec_blob->MessageType = NtLmNegotiate; 1158 1159 /* BB is NTLMV2 session security format easier to use here? */ 1160 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 1161 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 1162 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 1163 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 1164 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 1165 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 1166 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 1167 1168 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1169 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1170 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1171 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1172 1173 tmp = *pbuffer + sizeof(struct negotiate_message); 1174 ses->ntlmssp->client_flags = flags; 1175 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1176 1177 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 1178 cifs_security_buffer_from_str(&sec_blob->DomainName, 1179 NULL, 1180 CIFS_MAX_DOMAINNAME_LEN, 1181 *pbuffer, &tmp, 1182 nls_cp); 1183 1184 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1185 NULL, 1186 CIFS_MAX_WORKSTATION_LEN, 1187 *pbuffer, &tmp, 1188 nls_cp); 1189 1190 *buflen = tmp - *pbuffer; 1191 setup_ntlm_smb3_neg_ret: 1192 return rc; 1193 } 1194 1195 1196 /* See MS-NLMP 2.2.1.3 */ 1197 int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1198 u16 *buflen, 1199 struct cifs_ses *ses, 1200 struct TCP_Server_Info *server, 1201 const struct nls_table *nls_cp) 1202 { 1203 int rc; 1204 AUTHENTICATE_MESSAGE *sec_blob; 1205 __u32 flags; 1206 unsigned char *tmp; 1207 int len; 1208 1209 rc = setup_ntlmv2_rsp(ses, nls_cp); 1210 if (rc) { 1211 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1212 *buflen = 0; 1213 goto setup_ntlmv2_ret; 1214 } 1215 1216 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1217 *pbuffer = kmalloc(len, GFP_KERNEL); 1218 if (!*pbuffer) { 1219 rc = -ENOMEM; 1220 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1221 *buflen = 0; 1222 goto setup_ntlmv2_ret; 1223 } 1224 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1225 1226 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1227 sec_blob->MessageType = NtLmAuthenticate; 1228 1229 /* send version information in ntlmssp authenticate also */ 1230 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1231 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_VERSION | 1232 NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1233 1234 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 1235 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 1236 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 1237 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 1238 1239 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1240 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1241 1242 sec_blob->LmChallengeResponse.BufferOffset = 1243 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1244 sec_blob->LmChallengeResponse.Length = 0; 1245 sec_blob->LmChallengeResponse.MaximumLength = 0; 1246 1247 sec_blob->NtChallengeResponse.BufferOffset = 1248 cpu_to_le32(tmp - *pbuffer); 1249 if (ses->user_name != NULL) { 1250 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1251 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1252 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1253 1254 sec_blob->NtChallengeResponse.Length = 1255 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1256 sec_blob->NtChallengeResponse.MaximumLength = 1257 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1258 } else { 1259 /* 1260 * don't send an NT Response for anonymous access 1261 */ 1262 sec_blob->NtChallengeResponse.Length = 0; 1263 sec_blob->NtChallengeResponse.MaximumLength = 0; 1264 } 1265 1266 cifs_security_buffer_from_str(&sec_blob->DomainName, 1267 ses->domainName, 1268 CIFS_MAX_DOMAINNAME_LEN, 1269 *pbuffer, &tmp, 1270 nls_cp); 1271 1272 cifs_security_buffer_from_str(&sec_blob->UserName, 1273 ses->user_name, 1274 CIFS_MAX_USERNAME_LEN, 1275 *pbuffer, &tmp, 1276 nls_cp); 1277 1278 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1279 ses->workstation_name, 1280 ntlmssp_workstation_name_size(ses), 1281 *pbuffer, &tmp, 1282 nls_cp); 1283 1284 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1285 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1286 !calc_seckey(ses)) { 1287 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1288 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1289 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1290 sec_blob->SessionKey.MaximumLength = 1291 cpu_to_le16(CIFS_CPHTXT_SIZE); 1292 tmp += CIFS_CPHTXT_SIZE; 1293 } else { 1294 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1295 sec_blob->SessionKey.Length = 0; 1296 sec_blob->SessionKey.MaximumLength = 0; 1297 } 1298 1299 *buflen = tmp - *pbuffer; 1300 setup_ntlmv2_ret: 1301 return rc; 1302 } 1303 1304 enum securityEnum 1305 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1306 { 1307 switch (server->negflavor) { 1308 case CIFS_NEGFLAVOR_EXTENDED: 1309 switch (requested) { 1310 case Kerberos: 1311 case RawNTLMSSP: 1312 return requested; 1313 case Unspecified: 1314 if (server->sec_ntlmssp && 1315 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1316 return RawNTLMSSP; 1317 if ((server->sec_kerberos || server->sec_mskerberos) && 1318 (global_secflags & CIFSSEC_MAY_KRB5)) 1319 return Kerberos; 1320 fallthrough; 1321 default: 1322 return Unspecified; 1323 } 1324 case CIFS_NEGFLAVOR_UNENCAP: 1325 switch (requested) { 1326 case NTLMv2: 1327 return requested; 1328 case Unspecified: 1329 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1330 return NTLMv2; 1331 break; 1332 default: 1333 break; 1334 } 1335 fallthrough; 1336 default: 1337 return Unspecified; 1338 } 1339 } 1340 1341 struct sess_data { 1342 unsigned int xid; 1343 struct cifs_ses *ses; 1344 struct TCP_Server_Info *server; 1345 struct nls_table *nls_cp; 1346 void (*func)(struct sess_data *); 1347 int result; 1348 1349 /* we will send the SMB in three pieces: 1350 * a fixed length beginning part, an optional 1351 * SPNEGO blob (which can be zero length), and a 1352 * last part which will include the strings 1353 * and rest of bcc area. This allows us to avoid 1354 * a large buffer 17K allocation 1355 */ 1356 int buf0_type; 1357 struct kvec iov[3]; 1358 }; 1359 1360 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY 1361 static int 1362 sess_alloc_buffer(struct sess_data *sess_data, int wct) 1363 { 1364 int rc; 1365 struct cifs_ses *ses = sess_data->ses; 1366 struct smb_hdr *smb_buf; 1367 1368 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1369 (void **)&smb_buf); 1370 1371 if (rc) 1372 return rc; 1373 1374 sess_data->iov[0].iov_base = (char *)smb_buf; 1375 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1376 /* 1377 * This variable will be used to clear the buffer 1378 * allocated above in case of any error in the calling function. 1379 */ 1380 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1381 1382 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1383 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1384 if (!sess_data->iov[2].iov_base) { 1385 rc = -ENOMEM; 1386 goto out_free_smb_buf; 1387 } 1388 1389 return 0; 1390 1391 out_free_smb_buf: 1392 cifs_small_buf_release(smb_buf); 1393 sess_data->iov[0].iov_base = NULL; 1394 sess_data->iov[0].iov_len = 0; 1395 sess_data->buf0_type = CIFS_NO_BUFFER; 1396 return rc; 1397 } 1398 1399 static void 1400 sess_free_buffer(struct sess_data *sess_data) 1401 { 1402 struct kvec *iov = sess_data->iov; 1403 1404 /* 1405 * Zero the session data before freeing, as it might contain sensitive info (keys, etc). 1406 * Note that iov[1] is already freed by caller. 1407 */ 1408 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) 1409 memzero_explicit(iov[0].iov_base, iov[0].iov_len); 1410 1411 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); 1412 sess_data->buf0_type = CIFS_NO_BUFFER; 1413 kfree_sensitive(iov[2].iov_base); 1414 } 1415 1416 static int 1417 sess_establish_session(struct sess_data *sess_data) 1418 { 1419 struct cifs_ses *ses = sess_data->ses; 1420 struct TCP_Server_Info *server = sess_data->server; 1421 1422 cifs_server_lock(server); 1423 if (!server->session_estab) { 1424 if (server->sign) { 1425 server->session_key.response = 1426 kmemdup(ses->auth_key.response, 1427 ses->auth_key.len, GFP_KERNEL); 1428 if (!server->session_key.response) { 1429 cifs_server_unlock(server); 1430 return -ENOMEM; 1431 } 1432 server->session_key.len = 1433 ses->auth_key.len; 1434 } 1435 server->sequence_number = 0x2; 1436 server->session_estab = true; 1437 } 1438 cifs_server_unlock(server); 1439 1440 cifs_dbg(FYI, "CIFS session established successfully\n"); 1441 return 0; 1442 } 1443 1444 static int 1445 sess_sendreceive(struct sess_data *sess_data) 1446 { 1447 int rc; 1448 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1449 __u16 count; 1450 struct kvec rsp_iov = { NULL, 0 }; 1451 1452 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1453 be32_add_cpu(&smb_buf->smb_buf_length, count); 1454 put_bcc(count, smb_buf); 1455 1456 rc = SendReceive2(sess_data->xid, sess_data->ses, 1457 sess_data->iov, 3 /* num_iovecs */, 1458 &sess_data->buf0_type, 1459 CIFS_LOG_ERROR, &rsp_iov); 1460 cifs_small_buf_release(sess_data->iov[0].iov_base); 1461 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1462 1463 return rc; 1464 } 1465 1466 static void 1467 sess_auth_ntlmv2(struct sess_data *sess_data) 1468 { 1469 int rc = 0; 1470 struct smb_hdr *smb_buf; 1471 SESSION_SETUP_ANDX *pSMB; 1472 char *bcc_ptr; 1473 struct cifs_ses *ses = sess_data->ses; 1474 struct TCP_Server_Info *server = sess_data->server; 1475 __u32 capabilities; 1476 __u16 bytes_remaining; 1477 1478 /* old style NTLM sessionsetup */ 1479 /* wct = 13 */ 1480 rc = sess_alloc_buffer(sess_data, 13); 1481 if (rc) 1482 goto out; 1483 1484 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1485 bcc_ptr = sess_data->iov[2].iov_base; 1486 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1487 1488 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1489 1490 /* LM2 password would be here if we supported it */ 1491 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1492 1493 if (ses->user_name != NULL) { 1494 /* calculate nlmv2 response and session key */ 1495 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1496 if (rc) { 1497 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1498 goto out; 1499 } 1500 1501 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1502 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1503 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1504 1505 /* set case sensitive password length after tilen may get 1506 * assigned, tilen is 0 otherwise. 1507 */ 1508 pSMB->req_no_secext.CaseSensitivePasswordLength = 1509 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1510 } else { 1511 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1512 } 1513 1514 if (ses->capabilities & CAP_UNICODE) { 1515 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) { 1516 *bcc_ptr = 0; 1517 bcc_ptr++; 1518 } 1519 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1520 } else { 1521 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1522 } 1523 1524 1525 sess_data->iov[2].iov_len = (long) bcc_ptr - 1526 (long) sess_data->iov[2].iov_base; 1527 1528 rc = sess_sendreceive(sess_data); 1529 if (rc) 1530 goto out; 1531 1532 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1533 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1534 1535 if (smb_buf->WordCount != 3) { 1536 rc = -EIO; 1537 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1538 goto out; 1539 } 1540 1541 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1542 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1543 1544 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1545 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1546 1547 bytes_remaining = get_bcc(smb_buf); 1548 bcc_ptr = pByteArea(smb_buf); 1549 1550 /* BB check if Unicode and decode strings */ 1551 if (bytes_remaining == 0) { 1552 /* no string area to decode, do nothing */ 1553 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1554 /* unicode string area must be word-aligned */ 1555 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1556 ++bcc_ptr; 1557 --bytes_remaining; 1558 } 1559 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1560 sess_data->nls_cp); 1561 } else { 1562 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1563 sess_data->nls_cp); 1564 } 1565 1566 rc = sess_establish_session(sess_data); 1567 out: 1568 sess_data->result = rc; 1569 sess_data->func = NULL; 1570 sess_free_buffer(sess_data); 1571 kfree_sensitive(ses->auth_key.response); 1572 ses->auth_key.response = NULL; 1573 } 1574 1575 #ifdef CONFIG_CIFS_UPCALL 1576 static void 1577 sess_auth_kerberos(struct sess_data *sess_data) 1578 { 1579 int rc = 0; 1580 struct smb_hdr *smb_buf; 1581 SESSION_SETUP_ANDX *pSMB; 1582 char *bcc_ptr; 1583 struct cifs_ses *ses = sess_data->ses; 1584 struct TCP_Server_Info *server = sess_data->server; 1585 __u32 capabilities; 1586 __u16 bytes_remaining; 1587 struct key *spnego_key = NULL; 1588 struct cifs_spnego_msg *msg; 1589 u16 blob_len; 1590 1591 /* extended security */ 1592 /* wct = 12 */ 1593 rc = sess_alloc_buffer(sess_data, 12); 1594 if (rc) 1595 goto out; 1596 1597 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1598 bcc_ptr = sess_data->iov[2].iov_base; 1599 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1600 1601 spnego_key = cifs_get_spnego_key(ses, server); 1602 if (IS_ERR(spnego_key)) { 1603 rc = PTR_ERR(spnego_key); 1604 spnego_key = NULL; 1605 goto out; 1606 } 1607 1608 msg = spnego_key->payload.data[0]; 1609 /* 1610 * check version field to make sure that cifs.upcall is 1611 * sending us a response in an expected form 1612 */ 1613 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1614 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1615 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1616 rc = -EKEYREJECTED; 1617 goto out_put_spnego_key; 1618 } 1619 1620 kfree_sensitive(ses->auth_key.response); 1621 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1622 GFP_KERNEL); 1623 if (!ses->auth_key.response) { 1624 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1625 msg->sesskey_len); 1626 rc = -ENOMEM; 1627 goto out_put_spnego_key; 1628 } 1629 ses->auth_key.len = msg->sesskey_len; 1630 1631 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1632 capabilities |= CAP_EXTENDED_SECURITY; 1633 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1634 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1635 sess_data->iov[1].iov_len = msg->secblob_len; 1636 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1637 1638 if (ses->capabilities & CAP_UNICODE) { 1639 /* unicode strings must be word aligned */ 1640 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1641 *bcc_ptr = 0; 1642 bcc_ptr++; 1643 } 1644 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1645 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1646 } else { 1647 /* BB: is this right? */ 1648 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1649 } 1650 1651 sess_data->iov[2].iov_len = (long) bcc_ptr - 1652 (long) sess_data->iov[2].iov_base; 1653 1654 rc = sess_sendreceive(sess_data); 1655 if (rc) 1656 goto out_put_spnego_key; 1657 1658 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1659 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1660 1661 if (smb_buf->WordCount != 4) { 1662 rc = -EIO; 1663 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1664 goto out_put_spnego_key; 1665 } 1666 1667 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1668 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1669 1670 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1671 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1672 1673 bytes_remaining = get_bcc(smb_buf); 1674 bcc_ptr = pByteArea(smb_buf); 1675 1676 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1677 if (blob_len > bytes_remaining) { 1678 cifs_dbg(VFS, "bad security blob length %d\n", 1679 blob_len); 1680 rc = -EINVAL; 1681 goto out_put_spnego_key; 1682 } 1683 bcc_ptr += blob_len; 1684 bytes_remaining -= blob_len; 1685 1686 /* BB check if Unicode and decode strings */ 1687 if (bytes_remaining == 0) { 1688 /* no string area to decode, do nothing */ 1689 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1690 /* unicode string area must be word-aligned */ 1691 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1692 ++bcc_ptr; 1693 --bytes_remaining; 1694 } 1695 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1696 sess_data->nls_cp); 1697 } else { 1698 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1699 sess_data->nls_cp); 1700 } 1701 1702 rc = sess_establish_session(sess_data); 1703 out_put_spnego_key: 1704 key_invalidate(spnego_key); 1705 key_put(spnego_key); 1706 out: 1707 sess_data->result = rc; 1708 sess_data->func = NULL; 1709 sess_free_buffer(sess_data); 1710 kfree_sensitive(ses->auth_key.response); 1711 ses->auth_key.response = NULL; 1712 } 1713 1714 #endif /* ! CONFIG_CIFS_UPCALL */ 1715 1716 /* 1717 * The required kvec buffers have to be allocated before calling this 1718 * function. 1719 */ 1720 static int 1721 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1722 { 1723 SESSION_SETUP_ANDX *pSMB; 1724 struct cifs_ses *ses = sess_data->ses; 1725 struct TCP_Server_Info *server = sess_data->server; 1726 __u32 capabilities; 1727 char *bcc_ptr; 1728 1729 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1730 1731 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1732 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1733 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1734 return -ENOSYS; 1735 } 1736 1737 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1738 capabilities |= CAP_EXTENDED_SECURITY; 1739 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1740 1741 bcc_ptr = sess_data->iov[2].iov_base; 1742 /* unicode strings must be word aligned */ 1743 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { 1744 *bcc_ptr = 0; 1745 bcc_ptr++; 1746 } 1747 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1748 1749 sess_data->iov[2].iov_len = (long) bcc_ptr - 1750 (long) sess_data->iov[2].iov_base; 1751 1752 return 0; 1753 } 1754 1755 static void 1756 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1757 1758 static void 1759 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1760 { 1761 int rc; 1762 struct smb_hdr *smb_buf; 1763 SESSION_SETUP_ANDX *pSMB; 1764 struct cifs_ses *ses = sess_data->ses; 1765 struct TCP_Server_Info *server = sess_data->server; 1766 __u16 bytes_remaining; 1767 char *bcc_ptr; 1768 unsigned char *ntlmsspblob = NULL; 1769 u16 blob_len; 1770 1771 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1772 1773 /* 1774 * if memory allocation is successful, caller of this function 1775 * frees it. 1776 */ 1777 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1778 if (!ses->ntlmssp) { 1779 rc = -ENOMEM; 1780 goto out; 1781 } 1782 ses->ntlmssp->sesskey_per_smbsess = false; 1783 1784 /* wct = 12 */ 1785 rc = sess_alloc_buffer(sess_data, 12); 1786 if (rc) 1787 goto out; 1788 1789 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1790 1791 /* Build security blob before we assemble the request */ 1792 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1793 &blob_len, ses, server, 1794 sess_data->nls_cp); 1795 if (rc) 1796 goto out_free_ntlmsspblob; 1797 1798 sess_data->iov[1].iov_len = blob_len; 1799 sess_data->iov[1].iov_base = ntlmsspblob; 1800 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1801 1802 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1803 if (rc) 1804 goto out_free_ntlmsspblob; 1805 1806 rc = sess_sendreceive(sess_data); 1807 1808 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1809 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1810 1811 /* If true, rc here is expected and not an error */ 1812 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1813 smb_buf->Status.CifsError == 1814 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1815 rc = 0; 1816 1817 if (rc) 1818 goto out_free_ntlmsspblob; 1819 1820 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1821 1822 if (smb_buf->WordCount != 4) { 1823 rc = -EIO; 1824 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1825 goto out_free_ntlmsspblob; 1826 } 1827 1828 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1829 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1830 1831 bytes_remaining = get_bcc(smb_buf); 1832 bcc_ptr = pByteArea(smb_buf); 1833 1834 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1835 if (blob_len > bytes_remaining) { 1836 cifs_dbg(VFS, "bad security blob length %d\n", 1837 blob_len); 1838 rc = -EINVAL; 1839 goto out_free_ntlmsspblob; 1840 } 1841 1842 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1843 1844 out_free_ntlmsspblob: 1845 kfree_sensitive(ntlmsspblob); 1846 out: 1847 sess_free_buffer(sess_data); 1848 1849 if (!rc) { 1850 sess_data->func = sess_auth_rawntlmssp_authenticate; 1851 return; 1852 } 1853 1854 /* Else error. Cleanup */ 1855 kfree_sensitive(ses->auth_key.response); 1856 ses->auth_key.response = NULL; 1857 kfree_sensitive(ses->ntlmssp); 1858 ses->ntlmssp = NULL; 1859 1860 sess_data->func = NULL; 1861 sess_data->result = rc; 1862 } 1863 1864 static void 1865 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1866 { 1867 int rc; 1868 struct smb_hdr *smb_buf; 1869 SESSION_SETUP_ANDX *pSMB; 1870 struct cifs_ses *ses = sess_data->ses; 1871 struct TCP_Server_Info *server = sess_data->server; 1872 __u16 bytes_remaining; 1873 char *bcc_ptr; 1874 unsigned char *ntlmsspblob = NULL; 1875 u16 blob_len; 1876 1877 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1878 1879 /* wct = 12 */ 1880 rc = sess_alloc_buffer(sess_data, 12); 1881 if (rc) 1882 goto out; 1883 1884 /* Build security blob before we assemble the request */ 1885 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1886 smb_buf = (struct smb_hdr *)pSMB; 1887 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1888 &blob_len, ses, server, 1889 sess_data->nls_cp); 1890 if (rc) 1891 goto out_free_ntlmsspblob; 1892 sess_data->iov[1].iov_len = blob_len; 1893 sess_data->iov[1].iov_base = ntlmsspblob; 1894 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1895 /* 1896 * Make sure that we tell the server that we are using 1897 * the uid that it just gave us back on the response 1898 * (challenge) 1899 */ 1900 smb_buf->Uid = ses->Suid; 1901 1902 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1903 if (rc) 1904 goto out_free_ntlmsspblob; 1905 1906 rc = sess_sendreceive(sess_data); 1907 if (rc) 1908 goto out_free_ntlmsspblob; 1909 1910 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1911 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1912 if (smb_buf->WordCount != 4) { 1913 rc = -EIO; 1914 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1915 goto out_free_ntlmsspblob; 1916 } 1917 1918 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1919 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1920 1921 if (ses->Suid != smb_buf->Uid) { 1922 ses->Suid = smb_buf->Uid; 1923 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1924 } 1925 1926 bytes_remaining = get_bcc(smb_buf); 1927 bcc_ptr = pByteArea(smb_buf); 1928 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1929 if (blob_len > bytes_remaining) { 1930 cifs_dbg(VFS, "bad security blob length %d\n", 1931 blob_len); 1932 rc = -EINVAL; 1933 goto out_free_ntlmsspblob; 1934 } 1935 bcc_ptr += blob_len; 1936 bytes_remaining -= blob_len; 1937 1938 1939 /* BB check if Unicode and decode strings */ 1940 if (bytes_remaining == 0) { 1941 /* no string area to decode, do nothing */ 1942 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1943 /* unicode string area must be word-aligned */ 1944 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) { 1945 ++bcc_ptr; 1946 --bytes_remaining; 1947 } 1948 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1949 sess_data->nls_cp); 1950 } else { 1951 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1952 sess_data->nls_cp); 1953 } 1954 1955 out_free_ntlmsspblob: 1956 kfree_sensitive(ntlmsspblob); 1957 out: 1958 sess_free_buffer(sess_data); 1959 1960 if (!rc) 1961 rc = sess_establish_session(sess_data); 1962 1963 /* Cleanup */ 1964 kfree_sensitive(ses->auth_key.response); 1965 ses->auth_key.response = NULL; 1966 kfree_sensitive(ses->ntlmssp); 1967 ses->ntlmssp = NULL; 1968 1969 sess_data->func = NULL; 1970 sess_data->result = rc; 1971 } 1972 1973 static int select_sec(struct sess_data *sess_data) 1974 { 1975 int type; 1976 struct cifs_ses *ses = sess_data->ses; 1977 struct TCP_Server_Info *server = sess_data->server; 1978 1979 type = cifs_select_sectype(server, ses->sectype); 1980 cifs_dbg(FYI, "sess setup type %d\n", type); 1981 if (type == Unspecified) { 1982 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1983 return -EINVAL; 1984 } 1985 1986 switch (type) { 1987 case NTLMv2: 1988 sess_data->func = sess_auth_ntlmv2; 1989 break; 1990 case Kerberos: 1991 #ifdef CONFIG_CIFS_UPCALL 1992 sess_data->func = sess_auth_kerberos; 1993 break; 1994 #else 1995 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1996 return -ENOSYS; 1997 #endif /* CONFIG_CIFS_UPCALL */ 1998 case RawNTLMSSP: 1999 sess_data->func = sess_auth_rawntlmssp_negotiate; 2000 break; 2001 default: 2002 cifs_dbg(VFS, "secType %d not supported!\n", type); 2003 return -ENOSYS; 2004 } 2005 2006 return 0; 2007 } 2008 2009 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 2010 struct TCP_Server_Info *server, 2011 const struct nls_table *nls_cp) 2012 { 2013 int rc = 0; 2014 struct sess_data *sess_data; 2015 2016 if (ses == NULL) { 2017 WARN(1, "%s: ses == NULL!", __func__); 2018 return -EINVAL; 2019 } 2020 2021 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 2022 if (!sess_data) 2023 return -ENOMEM; 2024 2025 sess_data->xid = xid; 2026 sess_data->ses = ses; 2027 sess_data->server = server; 2028 sess_data->buf0_type = CIFS_NO_BUFFER; 2029 sess_data->nls_cp = (struct nls_table *) nls_cp; 2030 2031 rc = select_sec(sess_data); 2032 if (rc) 2033 goto out; 2034 2035 while (sess_data->func) 2036 sess_data->func(sess_data); 2037 2038 /* Store result before we free sess_data */ 2039 rc = sess_data->result; 2040 2041 out: 2042 kfree_sensitive(sess_data); 2043 return rc; 2044 } 2045 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ 2046