1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 *
4 * SMB/CIFS session setup handling routines
5 *
6 * Copyright (c) International Business Machines Corp., 2006, 2009
7 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 */
10
11 #include "cifspdu.h"
12 #include "cifsglob.h"
13 #include "cifsproto.h"
14 #include "cifs_unicode.h"
15 #include "cifs_debug.h"
16 #include "ntlmssp.h"
17 #include "nterr.h"
18 #include <linux/utsname.h>
19 #include <linux/slab.h>
20 #include <linux/version.h>
21 #include "cifsfs.h"
22 #include "cifs_spnego.h"
23 #include "smb2proto.h"
24 #include "fs_context.h"
25
26 static int
27 cifs_ses_add_channel(struct cifs_ses *ses,
28 struct cifs_server_iface *iface);
29
30 bool
is_server_using_iface(struct TCP_Server_Info * server,struct cifs_server_iface * iface)31 is_server_using_iface(struct TCP_Server_Info *server,
32 struct cifs_server_iface *iface)
33 {
34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr;
35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr;
36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr;
37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr;
38
39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family)
40 return false;
41 if (server->dstaddr.ss_family == AF_INET) {
42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr)
43 return false;
44 } else if (server->dstaddr.ss_family == AF_INET6) {
45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr,
46 sizeof(i6->sin6_addr)) != 0)
47 return false;
48 } else {
49 /* unknown family.. */
50 return false;
51 }
52 return true;
53 }
54
is_ses_using_iface(struct cifs_ses * ses,struct cifs_server_iface * iface)55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface)
56 {
57 int i;
58
59 spin_lock(&ses->chan_lock);
60 for (i = 0; i < ses->chan_count; i++) {
61 if (ses->chans[i].iface == iface) {
62 spin_unlock(&ses->chan_lock);
63 return true;
64 }
65 }
66 spin_unlock(&ses->chan_lock);
67 return false;
68 }
69
70 /* channel helper functions. assumed that chan_lock is held by caller. */
71
72 int
cifs_ses_get_chan_index(struct cifs_ses * ses,struct TCP_Server_Info * server)73 cifs_ses_get_chan_index(struct cifs_ses *ses,
74 struct TCP_Server_Info *server)
75 {
76 unsigned int i;
77
78 /* if the channel is waiting for termination */
79 if (server && server->terminate)
80 return CIFS_INVAL_CHAN_INDEX;
81
82 for (i = 0; i < ses->chan_count; i++) {
83 if (ses->chans[i].server == server)
84 return i;
85 }
86
87 /* If we didn't find the channel, it is likely a bug */
88 if (server)
89 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx",
90 server->conn_id);
91 return CIFS_INVAL_CHAN_INDEX;
92 }
93
94 void
cifs_chan_set_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)95 cifs_chan_set_in_reconnect(struct cifs_ses *ses,
96 struct TCP_Server_Info *server)
97 {
98 int chan_index = cifs_ses_get_chan_index(ses, server);
99
100 if (chan_index == CIFS_INVAL_CHAN_INDEX)
101 return;
102
103 ses->chans[chan_index].in_reconnect = true;
104 }
105
106 void
cifs_chan_clear_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)107 cifs_chan_clear_in_reconnect(struct cifs_ses *ses,
108 struct TCP_Server_Info *server)
109 {
110 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
111 if (chan_index == CIFS_INVAL_CHAN_INDEX)
112 return;
113
114 ses->chans[chan_index].in_reconnect = false;
115 }
116
117 bool
cifs_chan_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)118 cifs_chan_in_reconnect(struct cifs_ses *ses,
119 struct TCP_Server_Info *server)
120 {
121 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
122 if (chan_index == CIFS_INVAL_CHAN_INDEX)
123 return true; /* err on the safer side */
124
125 return CIFS_CHAN_IN_RECONNECT(ses, chan_index);
126 }
127
128 void
cifs_chan_set_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)129 cifs_chan_set_need_reconnect(struct cifs_ses *ses,
130 struct TCP_Server_Info *server)
131 {
132 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
133 if (chan_index == CIFS_INVAL_CHAN_INDEX)
134 return;
135
136 set_bit(chan_index, &ses->chans_need_reconnect);
137 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n",
138 chan_index, ses->chans_need_reconnect);
139 }
140
141 void
cifs_chan_clear_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)142 cifs_chan_clear_need_reconnect(struct cifs_ses *ses,
143 struct TCP_Server_Info *server)
144 {
145 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
146 if (chan_index == CIFS_INVAL_CHAN_INDEX)
147 return;
148
149 clear_bit(chan_index, &ses->chans_need_reconnect);
150 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n",
151 chan_index, ses->chans_need_reconnect);
152 }
153
154 bool
cifs_chan_needs_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)155 cifs_chan_needs_reconnect(struct cifs_ses *ses,
156 struct TCP_Server_Info *server)
157 {
158 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
159 if (chan_index == CIFS_INVAL_CHAN_INDEX)
160 return true; /* err on the safer side */
161
162 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index);
163 }
164
165 bool
cifs_chan_is_iface_active(struct cifs_ses * ses,struct TCP_Server_Info * server)166 cifs_chan_is_iface_active(struct cifs_ses *ses,
167 struct TCP_Server_Info *server)
168 {
169 unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
170 if (chan_index == CIFS_INVAL_CHAN_INDEX)
171 return true; /* err on the safer side */
172
173 return ses->chans[chan_index].iface &&
174 ses->chans[chan_index].iface->is_active;
175 }
176
177 /* returns number of channels added */
cifs_try_adding_channels(struct cifs_ses * ses)178 int cifs_try_adding_channels(struct cifs_ses *ses)
179 {
180 struct TCP_Server_Info *server = ses->server;
181 int old_chan_count, new_chan_count;
182 int left;
183 int rc = 0;
184 int tries = 0;
185 size_t iface_weight = 0, iface_min_speed = 0;
186 struct cifs_server_iface *iface = NULL, *niface = NULL;
187 struct cifs_server_iface *last_iface = NULL;
188
189 spin_lock(&ses->chan_lock);
190
191 new_chan_count = old_chan_count = ses->chan_count;
192 left = ses->chan_max - ses->chan_count;
193
194 if (left <= 0) {
195 spin_unlock(&ses->chan_lock);
196 cifs_dbg(FYI,
197 "ses already at max_channels (%zu), nothing to open\n",
198 ses->chan_max);
199 return 0;
200 }
201
202 if (server->dialect < SMB30_PROT_ID) {
203 spin_unlock(&ses->chan_lock);
204 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
205 return 0;
206 }
207
208 if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
209 spin_unlock(&ses->chan_lock);
210 cifs_server_dbg(VFS, "no multichannel support\n");
211 return 0;
212 }
213 spin_unlock(&ses->chan_lock);
214
215 while (left > 0) {
216
217 tries++;
218 if (tries > 3*ses->chan_max) {
219 cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n",
220 left);
221 break;
222 }
223
224 spin_lock(&ses->iface_lock);
225 if (!ses->iface_count) {
226 spin_unlock(&ses->iface_lock);
227 cifs_dbg(VFS, "server %s does not advertise interfaces\n",
228 ses->server->hostname);
229 break;
230 }
231
232 if (!iface)
233 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface,
234 iface_head);
235 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
236 iface_head);
237 iface_min_speed = last_iface->speed;
238
239 list_for_each_entry_safe_from(iface, niface, &ses->iface_list,
240 iface_head) {
241 /* do not mix rdma and non-rdma interfaces */
242 if (iface->rdma_capable != ses->server->rdma)
243 continue;
244
245 /* skip ifaces that are unusable */
246 if (!iface->is_active ||
247 (is_ses_using_iface(ses, iface) &&
248 !iface->rss_capable))
249 continue;
250
251 /* check if we already allocated enough channels */
252 iface_weight = iface->speed / iface_min_speed;
253
254 if (iface->weight_fulfilled >= iface_weight)
255 continue;
256
257 /* take ref before unlock */
258 kref_get(&iface->refcount);
259
260 spin_unlock(&ses->iface_lock);
261 rc = cifs_ses_add_channel(ses, iface);
262 spin_lock(&ses->iface_lock);
263
264 if (rc) {
265 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n",
266 &iface->sockaddr,
267 rc);
268 kref_put(&iface->refcount, release_iface);
269 /* failure to add chan should increase weight */
270 iface->weight_fulfilled++;
271 continue;
272 }
273
274 iface->num_channels++;
275 iface->weight_fulfilled++;
276 cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n",
277 &iface->sockaddr);
278 break;
279 }
280
281 /* reached end of list. reset weight_fulfilled and start over */
282 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
283 list_for_each_entry(iface, &ses->iface_list, iface_head)
284 iface->weight_fulfilled = 0;
285 spin_unlock(&ses->iface_lock);
286 iface = NULL;
287 continue;
288 }
289 spin_unlock(&ses->iface_lock);
290
291 left--;
292 new_chan_count++;
293 }
294
295 return new_chan_count - old_chan_count;
296 }
297
298 /*
299 * called when multichannel is disabled by the server.
300 * this always gets called from smb2_reconnect
301 * and cannot get called in parallel threads.
302 */
303 void
cifs_disable_secondary_channels(struct cifs_ses * ses)304 cifs_disable_secondary_channels(struct cifs_ses *ses)
305 {
306 int i, chan_count;
307 struct TCP_Server_Info *server;
308 struct cifs_server_iface *iface;
309
310 spin_lock(&ses->chan_lock);
311 chan_count = ses->chan_count;
312 if (chan_count == 1)
313 goto done;
314
315 ses->chan_count = 1;
316
317 /* for all secondary channels reset the need reconnect bit */
318 ses->chans_need_reconnect &= 1;
319
320 for (i = 1; i < chan_count; i++) {
321 iface = ses->chans[i].iface;
322 server = ses->chans[i].server;
323
324 /*
325 * remove these references first, since we need to unlock
326 * the chan_lock here, since iface_lock is a higher lock
327 */
328 ses->chans[i].iface = NULL;
329 ses->chans[i].server = NULL;
330 spin_unlock(&ses->chan_lock);
331
332 if (iface) {
333 spin_lock(&ses->iface_lock);
334 kref_put(&iface->refcount, release_iface);
335 iface->num_channels--;
336 if (iface->weight_fulfilled)
337 iface->weight_fulfilled--;
338 spin_unlock(&ses->iface_lock);
339 }
340
341 if (server) {
342 if (!server->terminate) {
343 server->terminate = true;
344 cifs_signal_cifsd_for_reconnect(server, false);
345 }
346 cifs_put_tcp_session(server, false);
347 }
348
349 spin_lock(&ses->chan_lock);
350 }
351
352 done:
353 spin_unlock(&ses->chan_lock);
354 }
355
356 /*
357 * update the iface for the channel if necessary.
358 * will return 0 when iface is updated, 1 if removed, 2 otherwise
359 * Must be called with chan_lock held.
360 */
361 int
cifs_chan_update_iface(struct cifs_ses * ses,struct TCP_Server_Info * server)362 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server)
363 {
364 unsigned int chan_index;
365 size_t iface_weight = 0, iface_min_speed = 0;
366 struct cifs_server_iface *iface = NULL;
367 struct cifs_server_iface *old_iface = NULL;
368 struct cifs_server_iface *last_iface = NULL;
369 struct sockaddr_storage ss;
370 int rc = 0;
371
372 spin_lock(&ses->chan_lock);
373 chan_index = cifs_ses_get_chan_index(ses, server);
374 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
375 spin_unlock(&ses->chan_lock);
376 return 0;
377 }
378
379 if (ses->chans[chan_index].iface) {
380 old_iface = ses->chans[chan_index].iface;
381 if (old_iface->is_active) {
382 spin_unlock(&ses->chan_lock);
383 return 1;
384 }
385 }
386 spin_unlock(&ses->chan_lock);
387
388 spin_lock(&server->srv_lock);
389 ss = server->dstaddr;
390 spin_unlock(&server->srv_lock);
391
392 spin_lock(&ses->iface_lock);
393 if (!ses->iface_count) {
394 spin_unlock(&ses->iface_lock);
395 cifs_dbg(VFS, "server %s does not advertise interfaces\n", ses->server->hostname);
396 return 0;
397 }
398
399 last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
400 iface_head);
401 iface_min_speed = last_iface->speed;
402
403 /* then look for a new one */
404 list_for_each_entry(iface, &ses->iface_list, iface_head) {
405 if (!chan_index) {
406 /* if we're trying to get the updated iface for primary channel */
407 if (!cifs_match_ipaddr((struct sockaddr *) &ss,
408 (struct sockaddr *) &iface->sockaddr))
409 continue;
410
411 kref_get(&iface->refcount);
412 break;
413 }
414
415 /* do not mix rdma and non-rdma interfaces */
416 if (iface->rdma_capable != server->rdma)
417 continue;
418
419 if (!iface->is_active ||
420 (is_ses_using_iface(ses, iface) &&
421 !iface->rss_capable)) {
422 continue;
423 }
424
425 /* check if we already allocated enough channels */
426 iface_weight = iface->speed / iface_min_speed;
427
428 if (iface->weight_fulfilled >= iface_weight)
429 continue;
430
431 kref_get(&iface->refcount);
432 break;
433 }
434
435 if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
436 rc = 1;
437 iface = NULL;
438 cifs_dbg(FYI, "unable to find a suitable iface\n");
439 }
440
441 if (!chan_index && !iface) {
442 cifs_dbg(FYI, "unable to get the interface matching: %pIS\n",
443 &ss);
444 spin_unlock(&ses->iface_lock);
445 return 0;
446 }
447
448 /* now drop the ref to the current iface */
449 if (old_iface && iface) {
450 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
451 &old_iface->sockaddr,
452 &iface->sockaddr);
453
454 old_iface->num_channels--;
455 if (old_iface->weight_fulfilled)
456 old_iface->weight_fulfilled--;
457 iface->num_channels++;
458 iface->weight_fulfilled++;
459
460 kref_put(&old_iface->refcount, release_iface);
461 } else if (old_iface) {
462 cifs_dbg(FYI, "releasing ref to iface: %pIS\n",
463 &old_iface->sockaddr);
464
465 old_iface->num_channels--;
466 if (old_iface->weight_fulfilled)
467 old_iface->weight_fulfilled--;
468
469 kref_put(&old_iface->refcount, release_iface);
470 } else if (!chan_index) {
471 /* special case: update interface for primary channel */
472 cifs_dbg(FYI, "referencing primary channel iface: %pIS\n",
473 &iface->sockaddr);
474 iface->num_channels++;
475 iface->weight_fulfilled++;
476 } else {
477 WARN_ON(!iface);
478 cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr);
479 }
480 spin_unlock(&ses->iface_lock);
481
482 spin_lock(&ses->chan_lock);
483 chan_index = cifs_ses_get_chan_index(ses, server);
484 if (chan_index == CIFS_INVAL_CHAN_INDEX) {
485 spin_unlock(&ses->chan_lock);
486 return 0;
487 }
488
489 ses->chans[chan_index].iface = iface;
490
491 /* No iface is found. if secondary chan, drop connection */
492 if (!iface && SERVER_IS_CHAN(server))
493 ses->chans[chan_index].server = NULL;
494
495 spin_unlock(&ses->chan_lock);
496
497 if (!iface && SERVER_IS_CHAN(server))
498 cifs_put_tcp_session(server, false);
499
500 return rc;
501 }
502
503 /*
504 * If server is a channel of ses, return the corresponding enclosing
505 * cifs_chan otherwise return NULL.
506 */
507 struct cifs_chan *
cifs_ses_find_chan(struct cifs_ses * ses,struct TCP_Server_Info * server)508 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server)
509 {
510 int i;
511
512 spin_lock(&ses->chan_lock);
513 for (i = 0; i < ses->chan_count; i++) {
514 if (ses->chans[i].server == server) {
515 spin_unlock(&ses->chan_lock);
516 return &ses->chans[i];
517 }
518 }
519 spin_unlock(&ses->chan_lock);
520 return NULL;
521 }
522
523 static int
cifs_ses_add_channel(struct cifs_ses * ses,struct cifs_server_iface * iface)524 cifs_ses_add_channel(struct cifs_ses *ses,
525 struct cifs_server_iface *iface)
526 {
527 struct TCP_Server_Info *chan_server;
528 struct cifs_chan *chan;
529 struct smb3_fs_context *ctx;
530 static const char unc_fmt[] = "\\%s\\foo";
531 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
532 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
533 size_t len;
534 int rc;
535 unsigned int xid = get_xid();
536
537 if (iface->sockaddr.ss_family == AF_INET)
538 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
539 ses, iface->speed, iface->rdma_capable ? "yes" : "no",
540 &ipv4->sin_addr);
541 else
542 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
543 ses, iface->speed, iface->rdma_capable ? "yes" : "no",
544 &ipv6->sin6_addr);
545
546 /*
547 * Setup a ctx with mostly the same info as the existing
548 * session and overwrite it with the requested iface data.
549 *
550 * We need to setup at least the fields used for negprot and
551 * sesssetup.
552 *
553 * We only need the ctx here, so we can reuse memory from
554 * the session and server without caring about memory
555 * management.
556 */
557 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
558 if (!ctx) {
559 rc = -ENOMEM;
560 goto out_free_xid;
561 }
562
563 /* Always make new connection for now (TODO?) */
564 ctx->nosharesock = true;
565
566 /* Auth */
567 ctx->domainauto = ses->domainAuto;
568 ctx->domainname = ses->domainName;
569
570 /* no hostname for extra channels */
571 ctx->server_hostname = "";
572
573 ctx->username = ses->user_name;
574 ctx->password = ses->password;
575 ctx->sectype = ses->sectype;
576 ctx->sign = ses->sign;
577
578 /* UNC and paths */
579 /* XXX: Use ses->server->hostname? */
580 len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL;
581 ctx->UNC = kzalloc(len, GFP_KERNEL);
582 if (!ctx->UNC) {
583 rc = -ENOMEM;
584 goto out_free_ctx;
585 }
586 scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr);
587 ctx->prepath = "";
588
589 /* Reuse same version as master connection */
590 ctx->vals = ses->server->vals;
591 ctx->ops = ses->server->ops;
592
593 ctx->noblocksnd = ses->server->noblocksnd;
594 ctx->noautotune = ses->server->noautotune;
595 ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
596 ctx->echo_interval = ses->server->echo_interval / HZ;
597 ctx->max_credits = ses->server->max_credits;
598
599 /*
600 * This will be used for encoding/decoding user/domain/pw
601 * during sess setup auth.
602 */
603 ctx->local_nls = ses->local_nls;
604
605 /* Use RDMA if possible */
606 ctx->rdma = iface->rdma_capable;
607 memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr));
608
609 /* reuse master con client guid */
610 memcpy(&ctx->client_guid, ses->server->client_guid,
611 sizeof(ctx->client_guid));
612 ctx->use_client_guid = true;
613
614 chan_server = cifs_get_tcp_session(ctx, ses->server);
615
616 spin_lock(&ses->chan_lock);
617 chan = &ses->chans[ses->chan_count];
618 chan->server = chan_server;
619 if (IS_ERR(chan->server)) {
620 rc = PTR_ERR(chan->server);
621 chan->server = NULL;
622 spin_unlock(&ses->chan_lock);
623 goto out;
624 }
625 chan->iface = iface;
626 ses->chan_count++;
627 atomic_set(&ses->chan_seq, 0);
628
629 /* Mark this channel as needing connect/setup */
630 cifs_chan_set_need_reconnect(ses, chan->server);
631
632 spin_unlock(&ses->chan_lock);
633
634 mutex_lock(&ses->session_mutex);
635 /*
636 * We need to allocate the server crypto now as we will need
637 * to sign packets before we generate the channel signing key
638 * (we sign with the session key)
639 */
640 rc = smb311_crypto_shash_allocate(chan->server);
641 if (rc) {
642 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
643 mutex_unlock(&ses->session_mutex);
644 goto out;
645 }
646
647 rc = cifs_negotiate_protocol(xid, ses, chan->server);
648 if (!rc)
649 rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls);
650
651 mutex_unlock(&ses->session_mutex);
652
653 out:
654 if (rc && chan->server) {
655 cifs_put_tcp_session(chan->server, 0);
656
657 spin_lock(&ses->chan_lock);
658
659 /* we rely on all bits beyond chan_count to be clear */
660 cifs_chan_clear_need_reconnect(ses, chan->server);
661 ses->chan_count--;
662 /*
663 * chan_count should never reach 0 as at least the primary
664 * channel is always allocated
665 */
666 WARN_ON(ses->chan_count < 1);
667 spin_unlock(&ses->chan_lock);
668 }
669
670 kfree(ctx->UNC);
671 out_free_ctx:
672 kfree(ctx);
673 out_free_xid:
674 free_xid(xid);
675 return rc;
676 }
677
678 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
cifs_ssetup_hdr(struct cifs_ses * ses,struct TCP_Server_Info * server,SESSION_SETUP_ANDX * pSMB)679 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
680 struct TCP_Server_Info *server,
681 SESSION_SETUP_ANDX *pSMB)
682 {
683 __u32 capabilities = 0;
684
685 /* init fields common to all four types of SessSetup */
686 /* Note that offsets for first seven fields in req struct are same */
687 /* in CIFS Specs so does not matter which of 3 forms of struct */
688 /* that we use in next few lines */
689 /* Note that header is initialized to zero in header_assemble */
690 pSMB->req.AndXCommand = 0xFF;
691 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
692 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
693 USHRT_MAX));
694 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);
695 pSMB->req.VcNumber = cpu_to_le16(1);
696
697 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
698
699 /* BB verify whether signing required on neg or just on auth frame
700 (and NTLM case) */
701
702 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
703 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
704
705 if (server->sign)
706 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
707
708 if (ses->capabilities & CAP_UNICODE) {
709 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
710 capabilities |= CAP_UNICODE;
711 }
712 if (ses->capabilities & CAP_STATUS32) {
713 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
714 capabilities |= CAP_STATUS32;
715 }
716 if (ses->capabilities & CAP_DFS) {
717 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
718 capabilities |= CAP_DFS;
719 }
720 if (ses->capabilities & CAP_UNIX)
721 capabilities |= CAP_UNIX;
722
723 return capabilities;
724 }
725
726 static void
unicode_oslm_strings(char ** pbcc_area,const struct nls_table * nls_cp)727 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
728 {
729 char *bcc_ptr = *pbcc_area;
730 int bytes_ret = 0;
731
732 /* Copy OS version */
733 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
734 nls_cp);
735 bcc_ptr += 2 * bytes_ret;
736 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
737 32, nls_cp);
738 bcc_ptr += 2 * bytes_ret;
739 bcc_ptr += 2; /* trailing null */
740
741 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
742 32, nls_cp);
743 bcc_ptr += 2 * bytes_ret;
744 bcc_ptr += 2; /* trailing null */
745
746 *pbcc_area = bcc_ptr;
747 }
748
unicode_domain_string(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)749 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
750 const struct nls_table *nls_cp)
751 {
752 char *bcc_ptr = *pbcc_area;
753 int bytes_ret = 0;
754
755 /* copy domain */
756 if (ses->domainName == NULL) {
757 /* Sending null domain better than using a bogus domain name (as
758 we did briefly in 2.6.18) since server will use its default */
759 *bcc_ptr = 0;
760 *(bcc_ptr+1) = 0;
761 bytes_ret = 0;
762 } else
763 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
764 CIFS_MAX_DOMAINNAME_LEN, nls_cp);
765 bcc_ptr += 2 * bytes_ret;
766 bcc_ptr += 2; /* account for null terminator */
767
768 *pbcc_area = bcc_ptr;
769 }
770
unicode_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)771 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
772 const struct nls_table *nls_cp)
773 {
774 char *bcc_ptr = *pbcc_area;
775 int bytes_ret = 0;
776
777 /* BB FIXME add check that strings total less
778 than 335 or will need to send them as arrays */
779
780 /* copy user */
781 if (ses->user_name == NULL) {
782 /* null user mount */
783 *bcc_ptr = 0;
784 *(bcc_ptr+1) = 0;
785 } else {
786 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
787 CIFS_MAX_USERNAME_LEN, nls_cp);
788 }
789 bcc_ptr += 2 * bytes_ret;
790 bcc_ptr += 2; /* account for null termination */
791
792 unicode_domain_string(&bcc_ptr, ses, nls_cp);
793 unicode_oslm_strings(&bcc_ptr, nls_cp);
794
795 *pbcc_area = bcc_ptr;
796 }
797
ascii_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)798 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
799 const struct nls_table *nls_cp)
800 {
801 char *bcc_ptr = *pbcc_area;
802 int len;
803
804 /* copy user */
805 /* BB what about null user mounts - check that we do this BB */
806 /* copy user */
807 if (ses->user_name != NULL) {
808 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
809 if (WARN_ON_ONCE(len < 0))
810 len = CIFS_MAX_USERNAME_LEN - 1;
811 bcc_ptr += len;
812 }
813 /* else null user mount */
814 *bcc_ptr = 0;
815 bcc_ptr++; /* account for null termination */
816
817 /* copy domain */
818 if (ses->domainName != NULL) {
819 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
820 if (WARN_ON_ONCE(len < 0))
821 len = CIFS_MAX_DOMAINNAME_LEN - 1;
822 bcc_ptr += len;
823 } /* else we will send a null domain name
824 so the server will default to its own domain */
825 *bcc_ptr = 0;
826 bcc_ptr++;
827
828 /* BB check for overflow here */
829
830 strcpy(bcc_ptr, "Linux version ");
831 bcc_ptr += strlen("Linux version ");
832 strcpy(bcc_ptr, init_utsname()->release);
833 bcc_ptr += strlen(init_utsname()->release) + 1;
834
835 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
836 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
837
838 *pbcc_area = bcc_ptr;
839 }
840
841 static void
decode_unicode_ssetup(char ** pbcc_area,int bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)842 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
843 const struct nls_table *nls_cp)
844 {
845 int len;
846 char *data = *pbcc_area;
847
848 cifs_dbg(FYI, "bleft %d\n", bleft);
849
850 kfree(ses->serverOS);
851 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
852 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
853 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
854 data += len;
855 bleft -= len;
856 if (bleft <= 0)
857 return;
858
859 kfree(ses->serverNOS);
860 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
861 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
862 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
863 data += len;
864 bleft -= len;
865 if (bleft <= 0)
866 return;
867
868 kfree(ses->serverDomain);
869 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
870 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
871
872 return;
873 }
874
decode_ascii_ssetup(char ** pbcc_area,__u16 bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)875 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
876 struct cifs_ses *ses,
877 const struct nls_table *nls_cp)
878 {
879 int len;
880 char *bcc_ptr = *pbcc_area;
881
882 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
883
884 len = strnlen(bcc_ptr, bleft);
885 if (len >= bleft)
886 return;
887
888 kfree(ses->serverOS);
889
890 ses->serverOS = kmalloc(len + 1, GFP_KERNEL);
891 if (ses->serverOS) {
892 memcpy(ses->serverOS, bcc_ptr, len);
893 ses->serverOS[len] = 0;
894 if (strncmp(ses->serverOS, "OS/2", 4) == 0)
895 cifs_dbg(FYI, "OS/2 server\n");
896 }
897
898 bcc_ptr += len + 1;
899 bleft -= len + 1;
900
901 len = strnlen(bcc_ptr, bleft);
902 if (len >= bleft)
903 return;
904
905 kfree(ses->serverNOS);
906
907 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL);
908 if (ses->serverNOS) {
909 memcpy(ses->serverNOS, bcc_ptr, len);
910 ses->serverNOS[len] = 0;
911 }
912
913 bcc_ptr += len + 1;
914 bleft -= len + 1;
915
916 len = strnlen(bcc_ptr, bleft);
917 if (len > bleft)
918 return;
919
920 /* No domain field in LANMAN case. Domain is
921 returned by old servers in the SMB negprot response */
922 /* BB For newer servers which do not support Unicode,
923 but thus do return domain here we could add parsing
924 for it later, but it is not very important */
925 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
926 }
927 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
928
decode_ntlmssp_challenge(char * bcc_ptr,int blob_len,struct cifs_ses * ses)929 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
930 struct cifs_ses *ses)
931 {
932 unsigned int tioffset; /* challenge message target info area */
933 unsigned int tilen; /* challenge message target info area length */
934 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
935 __u32 server_flags;
936
937 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
938 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
939 return -EINVAL;
940 }
941
942 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
943 cifs_dbg(VFS, "blob signature incorrect %s\n",
944 pblob->Signature);
945 return -EINVAL;
946 }
947 if (pblob->MessageType != NtLmChallenge) {
948 cifs_dbg(VFS, "Incorrect message type %d\n",
949 pblob->MessageType);
950 return -EINVAL;
951 }
952
953 server_flags = le32_to_cpu(pblob->NegotiateFlags);
954 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__,
955 ses->ntlmssp->client_flags, server_flags);
956
957 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) &&
958 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) {
959 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n",
960 __func__);
961 return -EINVAL;
962 }
963 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) {
964 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__);
965 return -EINVAL;
966 }
967 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) {
968 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n",
969 __func__);
970 return -EOPNOTSUPP;
971 }
972 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
973 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH))
974 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n",
975 __func__);
976
977 ses->ntlmssp->server_flags = server_flags;
978
979 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
980 /* In particular we can examine sign flags */
981 /* BB spec says that if AvId field of MsvAvTimestamp is populated then
982 we must set the MIC field of the AUTHENTICATE_MESSAGE */
983
984 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
985 tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
986 if (tioffset > blob_len || tioffset + tilen > blob_len) {
987 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
988 tioffset, tilen);
989 return -EINVAL;
990 }
991 if (tilen) {
992 kfree_sensitive(ses->auth_key.response);
993 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
994 GFP_KERNEL);
995 if (!ses->auth_key.response) {
996 cifs_dbg(VFS, "Challenge target info alloc failure\n");
997 return -ENOMEM;
998 }
999 ses->auth_key.len = tilen;
1000 }
1001
1002 return 0;
1003 }
1004
size_of_ntlmssp_blob(struct cifs_ses * ses,int base_size)1005 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size)
1006 {
1007 int sz = base_size + ses->auth_key.len
1008 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
1009
1010 if (ses->domainName)
1011 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
1012 else
1013 sz += sizeof(__le16);
1014
1015 if (ses->user_name)
1016 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
1017 else
1018 sz += sizeof(__le16);
1019
1020 if (ses->workstation_name[0])
1021 sz += sizeof(__le16) * strnlen(ses->workstation_name,
1022 ntlmssp_workstation_name_size(ses));
1023 else
1024 sz += sizeof(__le16);
1025
1026 return sz;
1027 }
1028
cifs_security_buffer_from_str(SECURITY_BUFFER * pbuf,char * str_value,int str_length,unsigned char * pstart,unsigned char ** pcur,const struct nls_table * nls_cp)1029 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf,
1030 char *str_value,
1031 int str_length,
1032 unsigned char *pstart,
1033 unsigned char **pcur,
1034 const struct nls_table *nls_cp)
1035 {
1036 unsigned char *tmp = pstart;
1037 int len;
1038
1039 if (!pbuf)
1040 return;
1041
1042 if (!pcur)
1043 pcur = &tmp;
1044
1045 if (!str_value) {
1046 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1047 pbuf->Length = 0;
1048 pbuf->MaximumLength = 0;
1049 *pcur += sizeof(__le16);
1050 } else {
1051 len = cifs_strtoUTF16((__le16 *)*pcur,
1052 str_value,
1053 str_length,
1054 nls_cp);
1055 len *= sizeof(__le16);
1056 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1057 pbuf->Length = cpu_to_le16(len);
1058 pbuf->MaximumLength = cpu_to_le16(len);
1059 *pcur += len;
1060 }
1061 }
1062
1063 /* BB Move to ntlmssp.c eventually */
1064
build_ntlmssp_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1065 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer,
1066 u16 *buflen,
1067 struct cifs_ses *ses,
1068 struct TCP_Server_Info *server,
1069 const struct nls_table *nls_cp)
1070 {
1071 int rc = 0;
1072 NEGOTIATE_MESSAGE *sec_blob;
1073 __u32 flags;
1074 unsigned char *tmp;
1075 int len;
1076
1077 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE));
1078 *pbuffer = kmalloc(len, GFP_KERNEL);
1079 if (!*pbuffer) {
1080 rc = -ENOMEM;
1081 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1082 *buflen = 0;
1083 goto setup_ntlm_neg_ret;
1084 }
1085 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer;
1086
1087 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
1088 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1089 sec_blob->MessageType = NtLmNegotiate;
1090
1091 /* BB is NTLMV2 session security format easier to use here? */
1092 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
1093 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1094 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1095 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1096 NTLMSSP_NEGOTIATE_SIGN;
1097 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1098 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1099
1100 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE);
1101 ses->ntlmssp->client_flags = flags;
1102 sec_blob->NegotiateFlags = cpu_to_le32(flags);
1103
1104 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1105 cifs_security_buffer_from_str(&sec_blob->DomainName,
1106 NULL,
1107 CIFS_MAX_DOMAINNAME_LEN,
1108 *pbuffer, &tmp,
1109 nls_cp);
1110
1111 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1112 NULL,
1113 CIFS_MAX_WORKSTATION_LEN,
1114 *pbuffer, &tmp,
1115 nls_cp);
1116
1117 *buflen = tmp - *pbuffer;
1118 setup_ntlm_neg_ret:
1119 return rc;
1120 }
1121
1122 /*
1123 * Build ntlmssp blob with additional fields, such as version,
1124 * supported by modern servers. For safety limit to SMB3 or later
1125 * See notes in MS-NLMP Section 2.2.2.1 e.g.
1126 */
build_ntlmssp_smb3_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1127 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
1128 u16 *buflen,
1129 struct cifs_ses *ses,
1130 struct TCP_Server_Info *server,
1131 const struct nls_table *nls_cp)
1132 {
1133 int rc = 0;
1134 struct negotiate_message *sec_blob;
1135 __u32 flags;
1136 unsigned char *tmp;
1137 int len;
1138
1139 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message));
1140 *pbuffer = kmalloc(len, GFP_KERNEL);
1141 if (!*pbuffer) {
1142 rc = -ENOMEM;
1143 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1144 *buflen = 0;
1145 goto setup_ntlm_smb3_neg_ret;
1146 }
1147 sec_blob = (struct negotiate_message *)*pbuffer;
1148
1149 memset(*pbuffer, 0, sizeof(struct negotiate_message));
1150 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1151 sec_blob->MessageType = NtLmNegotiate;
1152
1153 /* BB is NTLMV2 session security format easier to use here? */
1154 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
1155 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1156 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1157 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1158 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION;
1159 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1160 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1161
1162 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1163 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1164 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1165 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1166
1167 tmp = *pbuffer + sizeof(struct negotiate_message);
1168 ses->ntlmssp->client_flags = flags;
1169 sec_blob->NegotiateFlags = cpu_to_le32(flags);
1170
1171 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1172 cifs_security_buffer_from_str(&sec_blob->DomainName,
1173 NULL,
1174 CIFS_MAX_DOMAINNAME_LEN,
1175 *pbuffer, &tmp,
1176 nls_cp);
1177
1178 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1179 NULL,
1180 CIFS_MAX_WORKSTATION_LEN,
1181 *pbuffer, &tmp,
1182 nls_cp);
1183
1184 *buflen = tmp - *pbuffer;
1185 setup_ntlm_smb3_neg_ret:
1186 return rc;
1187 }
1188
1189
1190 /* See MS-NLMP 2.2.1.3 */
build_ntlmssp_auth_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1191 int build_ntlmssp_auth_blob(unsigned char **pbuffer,
1192 u16 *buflen,
1193 struct cifs_ses *ses,
1194 struct TCP_Server_Info *server,
1195 const struct nls_table *nls_cp)
1196 {
1197 int rc;
1198 AUTHENTICATE_MESSAGE *sec_blob;
1199 __u32 flags;
1200 unsigned char *tmp;
1201 int len;
1202
1203 rc = setup_ntlmv2_rsp(ses, nls_cp);
1204 if (rc) {
1205 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
1206 *buflen = 0;
1207 goto setup_ntlmv2_ret;
1208 }
1209
1210 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE));
1211 *pbuffer = kmalloc(len, GFP_KERNEL);
1212 if (!*pbuffer) {
1213 rc = -ENOMEM;
1214 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1215 *buflen = 0;
1216 goto setup_ntlmv2_ret;
1217 }
1218 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
1219
1220 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1221 sec_blob->MessageType = NtLmAuthenticate;
1222
1223 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET |
1224 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
1225 /* we only send version information in ntlmssp negotiate, so do not set this flag */
1226 flags = flags & ~NTLMSSP_NEGOTIATE_VERSION;
1227 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
1228 sec_blob->NegotiateFlags = cpu_to_le32(flags);
1229
1230 sec_blob->LmChallengeResponse.BufferOffset =
1231 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
1232 sec_blob->LmChallengeResponse.Length = 0;
1233 sec_blob->LmChallengeResponse.MaximumLength = 0;
1234
1235 sec_blob->NtChallengeResponse.BufferOffset =
1236 cpu_to_le32(tmp - *pbuffer);
1237 if (ses->user_name != NULL) {
1238 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1239 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1240 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1241
1242 sec_blob->NtChallengeResponse.Length =
1243 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1244 sec_blob->NtChallengeResponse.MaximumLength =
1245 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1246 } else {
1247 /*
1248 * don't send an NT Response for anonymous access
1249 */
1250 sec_blob->NtChallengeResponse.Length = 0;
1251 sec_blob->NtChallengeResponse.MaximumLength = 0;
1252 }
1253
1254 cifs_security_buffer_from_str(&sec_blob->DomainName,
1255 ses->domainName,
1256 CIFS_MAX_DOMAINNAME_LEN,
1257 *pbuffer, &tmp,
1258 nls_cp);
1259
1260 cifs_security_buffer_from_str(&sec_blob->UserName,
1261 ses->user_name,
1262 CIFS_MAX_USERNAME_LEN,
1263 *pbuffer, &tmp,
1264 nls_cp);
1265
1266 cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1267 ses->workstation_name,
1268 ntlmssp_workstation_name_size(ses),
1269 *pbuffer, &tmp,
1270 nls_cp);
1271
1272 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
1273 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) &&
1274 !calc_seckey(ses)) {
1275 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
1276 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1277 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
1278 sec_blob->SessionKey.MaximumLength =
1279 cpu_to_le16(CIFS_CPHTXT_SIZE);
1280 tmp += CIFS_CPHTXT_SIZE;
1281 } else {
1282 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1283 sec_blob->SessionKey.Length = 0;
1284 sec_blob->SessionKey.MaximumLength = 0;
1285 }
1286
1287 *buflen = tmp - *pbuffer;
1288 setup_ntlmv2_ret:
1289 return rc;
1290 }
1291
1292 enum securityEnum
cifs_select_sectype(struct TCP_Server_Info * server,enum securityEnum requested)1293 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
1294 {
1295 switch (server->negflavor) {
1296 case CIFS_NEGFLAVOR_EXTENDED:
1297 switch (requested) {
1298 case Kerberos:
1299 case RawNTLMSSP:
1300 return requested;
1301 case Unspecified:
1302 if (server->sec_ntlmssp &&
1303 (global_secflags & CIFSSEC_MAY_NTLMSSP))
1304 return RawNTLMSSP;
1305 if ((server->sec_kerberos || server->sec_mskerberos) &&
1306 (global_secflags & CIFSSEC_MAY_KRB5))
1307 return Kerberos;
1308 fallthrough;
1309 default:
1310 return Unspecified;
1311 }
1312 case CIFS_NEGFLAVOR_UNENCAP:
1313 switch (requested) {
1314 case NTLMv2:
1315 return requested;
1316 case Unspecified:
1317 if (global_secflags & CIFSSEC_MAY_NTLMV2)
1318 return NTLMv2;
1319 break;
1320 default:
1321 break;
1322 }
1323 fallthrough;
1324 default:
1325 return Unspecified;
1326 }
1327 }
1328
1329 struct sess_data {
1330 unsigned int xid;
1331 struct cifs_ses *ses;
1332 struct TCP_Server_Info *server;
1333 struct nls_table *nls_cp;
1334 void (*func)(struct sess_data *);
1335 int result;
1336
1337 /* we will send the SMB in three pieces:
1338 * a fixed length beginning part, an optional
1339 * SPNEGO blob (which can be zero length), and a
1340 * last part which will include the strings
1341 * and rest of bcc area. This allows us to avoid
1342 * a large buffer 17K allocation
1343 */
1344 int buf0_type;
1345 struct kvec iov[3];
1346 };
1347
1348 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
1349 static int
sess_alloc_buffer(struct sess_data * sess_data,int wct)1350 sess_alloc_buffer(struct sess_data *sess_data, int wct)
1351 {
1352 int rc;
1353 struct cifs_ses *ses = sess_data->ses;
1354 struct smb_hdr *smb_buf;
1355
1356 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
1357 (void **)&smb_buf);
1358
1359 if (rc)
1360 return rc;
1361
1362 sess_data->iov[0].iov_base = (char *)smb_buf;
1363 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
1364 /*
1365 * This variable will be used to clear the buffer
1366 * allocated above in case of any error in the calling function.
1367 */
1368 sess_data->buf0_type = CIFS_SMALL_BUFFER;
1369
1370 /* 2000 big enough to fit max user, domain, NOS name etc. */
1371 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL);
1372 if (!sess_data->iov[2].iov_base) {
1373 rc = -ENOMEM;
1374 goto out_free_smb_buf;
1375 }
1376
1377 return 0;
1378
1379 out_free_smb_buf:
1380 cifs_small_buf_release(smb_buf);
1381 sess_data->iov[0].iov_base = NULL;
1382 sess_data->iov[0].iov_len = 0;
1383 sess_data->buf0_type = CIFS_NO_BUFFER;
1384 return rc;
1385 }
1386
1387 static void
sess_free_buffer(struct sess_data * sess_data)1388 sess_free_buffer(struct sess_data *sess_data)
1389 {
1390 struct kvec *iov = sess_data->iov;
1391
1392 /*
1393 * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
1394 * Note that iov[1] is already freed by caller.
1395 */
1396 if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
1397 memzero_explicit(iov[0].iov_base, iov[0].iov_len);
1398
1399 free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
1400 sess_data->buf0_type = CIFS_NO_BUFFER;
1401 kfree_sensitive(iov[2].iov_base);
1402 }
1403
1404 static int
sess_establish_session(struct sess_data * sess_data)1405 sess_establish_session(struct sess_data *sess_data)
1406 {
1407 struct cifs_ses *ses = sess_data->ses;
1408 struct TCP_Server_Info *server = sess_data->server;
1409
1410 cifs_server_lock(server);
1411 if (!server->session_estab) {
1412 if (server->sign) {
1413 server->session_key.response =
1414 kmemdup(ses->auth_key.response,
1415 ses->auth_key.len, GFP_KERNEL);
1416 if (!server->session_key.response) {
1417 cifs_server_unlock(server);
1418 return -ENOMEM;
1419 }
1420 server->session_key.len =
1421 ses->auth_key.len;
1422 }
1423 server->sequence_number = 0x2;
1424 server->session_estab = true;
1425 }
1426 cifs_server_unlock(server);
1427
1428 cifs_dbg(FYI, "CIFS session established successfully\n");
1429 return 0;
1430 }
1431
1432 static int
sess_sendreceive(struct sess_data * sess_data)1433 sess_sendreceive(struct sess_data *sess_data)
1434 {
1435 int rc;
1436 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base;
1437 __u16 count;
1438 struct kvec rsp_iov = { NULL, 0 };
1439
1440 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len;
1441 be32_add_cpu(&smb_buf->smb_buf_length, count);
1442 put_bcc(count, smb_buf);
1443
1444 rc = SendReceive2(sess_data->xid, sess_data->ses,
1445 sess_data->iov, 3 /* num_iovecs */,
1446 &sess_data->buf0_type,
1447 CIFS_LOG_ERROR, &rsp_iov);
1448 cifs_small_buf_release(sess_data->iov[0].iov_base);
1449 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec));
1450
1451 return rc;
1452 }
1453
1454 static void
sess_auth_ntlmv2(struct sess_data * sess_data)1455 sess_auth_ntlmv2(struct sess_data *sess_data)
1456 {
1457 int rc = 0;
1458 struct smb_hdr *smb_buf;
1459 SESSION_SETUP_ANDX *pSMB;
1460 char *bcc_ptr;
1461 struct cifs_ses *ses = sess_data->ses;
1462 struct TCP_Server_Info *server = sess_data->server;
1463 __u32 capabilities;
1464 __u16 bytes_remaining;
1465
1466 /* old style NTLM sessionsetup */
1467 /* wct = 13 */
1468 rc = sess_alloc_buffer(sess_data, 13);
1469 if (rc)
1470 goto out;
1471
1472 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1473 bcc_ptr = sess_data->iov[2].iov_base;
1474 capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1475
1476 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1477
1478 /* LM2 password would be here if we supported it */
1479 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
1480
1481 if (ses->user_name != NULL) {
1482 /* calculate nlmv2 response and session key */
1483 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
1484 if (rc) {
1485 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
1486 goto out;
1487 }
1488
1489 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1490 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1491 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1492
1493 /* set case sensitive password length after tilen may get
1494 * assigned, tilen is 0 otherwise.
1495 */
1496 pSMB->req_no_secext.CaseSensitivePasswordLength =
1497 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1498 } else {
1499 pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
1500 }
1501
1502 if (ses->capabilities & CAP_UNICODE) {
1503 if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) {
1504 *bcc_ptr = 0;
1505 bcc_ptr++;
1506 }
1507 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1508 } else {
1509 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1510 }
1511
1512
1513 sess_data->iov[2].iov_len = (long) bcc_ptr -
1514 (long) sess_data->iov[2].iov_base;
1515
1516 rc = sess_sendreceive(sess_data);
1517 if (rc)
1518 goto out;
1519
1520 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1521 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1522
1523 if (smb_buf->WordCount != 3) {
1524 rc = -EIO;
1525 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1526 goto out;
1527 }
1528
1529 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1530 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1531
1532 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
1533 cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1534
1535 bytes_remaining = get_bcc(smb_buf);
1536 bcc_ptr = pByteArea(smb_buf);
1537
1538 /* BB check if Unicode and decode strings */
1539 if (bytes_remaining == 0) {
1540 /* no string area to decode, do nothing */
1541 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1542 /* unicode string area must be word-aligned */
1543 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1544 ++bcc_ptr;
1545 --bytes_remaining;
1546 }
1547 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1548 sess_data->nls_cp);
1549 } else {
1550 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1551 sess_data->nls_cp);
1552 }
1553
1554 rc = sess_establish_session(sess_data);
1555 out:
1556 sess_data->result = rc;
1557 sess_data->func = NULL;
1558 sess_free_buffer(sess_data);
1559 kfree_sensitive(ses->auth_key.response);
1560 ses->auth_key.response = NULL;
1561 }
1562
1563 #ifdef CONFIG_CIFS_UPCALL
1564 static void
sess_auth_kerberos(struct sess_data * sess_data)1565 sess_auth_kerberos(struct sess_data *sess_data)
1566 {
1567 int rc = 0;
1568 struct smb_hdr *smb_buf;
1569 SESSION_SETUP_ANDX *pSMB;
1570 char *bcc_ptr;
1571 struct cifs_ses *ses = sess_data->ses;
1572 struct TCP_Server_Info *server = sess_data->server;
1573 __u32 capabilities;
1574 __u16 bytes_remaining;
1575 struct key *spnego_key = NULL;
1576 struct cifs_spnego_msg *msg;
1577 u16 blob_len;
1578
1579 /* extended security */
1580 /* wct = 12 */
1581 rc = sess_alloc_buffer(sess_data, 12);
1582 if (rc)
1583 goto out;
1584
1585 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1586 bcc_ptr = sess_data->iov[2].iov_base;
1587 capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1588
1589 spnego_key = cifs_get_spnego_key(ses, server);
1590 if (IS_ERR(spnego_key)) {
1591 rc = PTR_ERR(spnego_key);
1592 spnego_key = NULL;
1593 goto out;
1594 }
1595
1596 msg = spnego_key->payload.data[0];
1597 /*
1598 * check version field to make sure that cifs.upcall is
1599 * sending us a response in an expected form
1600 */
1601 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
1602 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n",
1603 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1604 rc = -EKEYREJECTED;
1605 goto out_put_spnego_key;
1606 }
1607
1608 kfree_sensitive(ses->auth_key.response);
1609 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1610 GFP_KERNEL);
1611 if (!ses->auth_key.response) {
1612 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
1613 msg->sesskey_len);
1614 rc = -ENOMEM;
1615 goto out_put_spnego_key;
1616 }
1617 ses->auth_key.len = msg->sesskey_len;
1618
1619 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1620 capabilities |= CAP_EXTENDED_SECURITY;
1621 pSMB->req.Capabilities = cpu_to_le32(capabilities);
1622 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
1623 sess_data->iov[1].iov_len = msg->secblob_len;
1624 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
1625
1626 if (ses->capabilities & CAP_UNICODE) {
1627 /* unicode strings must be word aligned */
1628 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1629 *bcc_ptr = 0;
1630 bcc_ptr++;
1631 }
1632 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1633 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1634 } else {
1635 /* BB: is this right? */
1636 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1637 }
1638
1639 sess_data->iov[2].iov_len = (long) bcc_ptr -
1640 (long) sess_data->iov[2].iov_base;
1641
1642 rc = sess_sendreceive(sess_data);
1643 if (rc)
1644 goto out_put_spnego_key;
1645
1646 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1647 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1648
1649 if (smb_buf->WordCount != 4) {
1650 rc = -EIO;
1651 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1652 goto out_put_spnego_key;
1653 }
1654
1655 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1656 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1657
1658 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
1659 cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1660
1661 bytes_remaining = get_bcc(smb_buf);
1662 bcc_ptr = pByteArea(smb_buf);
1663
1664 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1665 if (blob_len > bytes_remaining) {
1666 cifs_dbg(VFS, "bad security blob length %d\n",
1667 blob_len);
1668 rc = -EINVAL;
1669 goto out_put_spnego_key;
1670 }
1671 bcc_ptr += blob_len;
1672 bytes_remaining -= blob_len;
1673
1674 /* BB check if Unicode and decode strings */
1675 if (bytes_remaining == 0) {
1676 /* no string area to decode, do nothing */
1677 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1678 /* unicode string area must be word-aligned */
1679 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1680 ++bcc_ptr;
1681 --bytes_remaining;
1682 }
1683 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1684 sess_data->nls_cp);
1685 } else {
1686 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1687 sess_data->nls_cp);
1688 }
1689
1690 rc = sess_establish_session(sess_data);
1691 out_put_spnego_key:
1692 key_invalidate(spnego_key);
1693 key_put(spnego_key);
1694 out:
1695 sess_data->result = rc;
1696 sess_data->func = NULL;
1697 sess_free_buffer(sess_data);
1698 kfree_sensitive(ses->auth_key.response);
1699 ses->auth_key.response = NULL;
1700 }
1701
1702 #endif /* ! CONFIG_CIFS_UPCALL */
1703
1704 /*
1705 * The required kvec buffers have to be allocated before calling this
1706 * function.
1707 */
1708 static int
_sess_auth_rawntlmssp_assemble_req(struct sess_data * sess_data)1709 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1710 {
1711 SESSION_SETUP_ANDX *pSMB;
1712 struct cifs_ses *ses = sess_data->ses;
1713 struct TCP_Server_Info *server = sess_data->server;
1714 __u32 capabilities;
1715 char *bcc_ptr;
1716
1717 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1718
1719 capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1720 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
1721 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
1722 return -ENOSYS;
1723 }
1724
1725 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1726 capabilities |= CAP_EXTENDED_SECURITY;
1727 pSMB->req.Capabilities |= cpu_to_le32(capabilities);
1728
1729 bcc_ptr = sess_data->iov[2].iov_base;
1730 /* unicode strings must be word aligned */
1731 if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1732 *bcc_ptr = 0;
1733 bcc_ptr++;
1734 }
1735 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1736
1737 sess_data->iov[2].iov_len = (long) bcc_ptr -
1738 (long) sess_data->iov[2].iov_base;
1739
1740 return 0;
1741 }
1742
1743 static void
1744 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1745
1746 static void
sess_auth_rawntlmssp_negotiate(struct sess_data * sess_data)1747 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1748 {
1749 int rc;
1750 struct smb_hdr *smb_buf;
1751 SESSION_SETUP_ANDX *pSMB;
1752 struct cifs_ses *ses = sess_data->ses;
1753 struct TCP_Server_Info *server = sess_data->server;
1754 __u16 bytes_remaining;
1755 char *bcc_ptr;
1756 unsigned char *ntlmsspblob = NULL;
1757 u16 blob_len;
1758
1759 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1760
1761 /*
1762 * if memory allocation is successful, caller of this function
1763 * frees it.
1764 */
1765 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1766 if (!ses->ntlmssp) {
1767 rc = -ENOMEM;
1768 goto out;
1769 }
1770 ses->ntlmssp->sesskey_per_smbsess = false;
1771
1772 /* wct = 12 */
1773 rc = sess_alloc_buffer(sess_data, 12);
1774 if (rc)
1775 goto out;
1776
1777 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1778
1779 /* Build security blob before we assemble the request */
1780 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob,
1781 &blob_len, ses, server,
1782 sess_data->nls_cp);
1783 if (rc)
1784 goto out_free_ntlmsspblob;
1785
1786 sess_data->iov[1].iov_len = blob_len;
1787 sess_data->iov[1].iov_base = ntlmsspblob;
1788 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1789
1790 rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1791 if (rc)
1792 goto out_free_ntlmsspblob;
1793
1794 rc = sess_sendreceive(sess_data);
1795
1796 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1797 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1798
1799 /* If true, rc here is expected and not an error */
1800 if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1801 smb_buf->Status.CifsError ==
1802 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1803 rc = 0;
1804
1805 if (rc)
1806 goto out_free_ntlmsspblob;
1807
1808 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1809
1810 if (smb_buf->WordCount != 4) {
1811 rc = -EIO;
1812 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1813 goto out_free_ntlmsspblob;
1814 }
1815
1816 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
1817 cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1818
1819 bytes_remaining = get_bcc(smb_buf);
1820 bcc_ptr = pByteArea(smb_buf);
1821
1822 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1823 if (blob_len > bytes_remaining) {
1824 cifs_dbg(VFS, "bad security blob length %d\n",
1825 blob_len);
1826 rc = -EINVAL;
1827 goto out_free_ntlmsspblob;
1828 }
1829
1830 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1831
1832 out_free_ntlmsspblob:
1833 kfree_sensitive(ntlmsspblob);
1834 out:
1835 sess_free_buffer(sess_data);
1836
1837 if (!rc) {
1838 sess_data->func = sess_auth_rawntlmssp_authenticate;
1839 return;
1840 }
1841
1842 /* Else error. Cleanup */
1843 kfree_sensitive(ses->auth_key.response);
1844 ses->auth_key.response = NULL;
1845 kfree_sensitive(ses->ntlmssp);
1846 ses->ntlmssp = NULL;
1847
1848 sess_data->func = NULL;
1849 sess_data->result = rc;
1850 }
1851
1852 static void
sess_auth_rawntlmssp_authenticate(struct sess_data * sess_data)1853 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1854 {
1855 int rc;
1856 struct smb_hdr *smb_buf;
1857 SESSION_SETUP_ANDX *pSMB;
1858 struct cifs_ses *ses = sess_data->ses;
1859 struct TCP_Server_Info *server = sess_data->server;
1860 __u16 bytes_remaining;
1861 char *bcc_ptr;
1862 unsigned char *ntlmsspblob = NULL;
1863 u16 blob_len;
1864
1865 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1866
1867 /* wct = 12 */
1868 rc = sess_alloc_buffer(sess_data, 12);
1869 if (rc)
1870 goto out;
1871
1872 /* Build security blob before we assemble the request */
1873 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1874 smb_buf = (struct smb_hdr *)pSMB;
1875 rc = build_ntlmssp_auth_blob(&ntlmsspblob,
1876 &blob_len, ses, server,
1877 sess_data->nls_cp);
1878 if (rc)
1879 goto out_free_ntlmsspblob;
1880 sess_data->iov[1].iov_len = blob_len;
1881 sess_data->iov[1].iov_base = ntlmsspblob;
1882 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1883 /*
1884 * Make sure that we tell the server that we are using
1885 * the uid that it just gave us back on the response
1886 * (challenge)
1887 */
1888 smb_buf->Uid = ses->Suid;
1889
1890 rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1891 if (rc)
1892 goto out_free_ntlmsspblob;
1893
1894 rc = sess_sendreceive(sess_data);
1895 if (rc)
1896 goto out_free_ntlmsspblob;
1897
1898 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1899 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1900 if (smb_buf->WordCount != 4) {
1901 rc = -EIO;
1902 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1903 goto out_free_ntlmsspblob;
1904 }
1905
1906 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1907 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1908
1909 if (ses->Suid != smb_buf->Uid) {
1910 ses->Suid = smb_buf->Uid;
1911 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1912 }
1913
1914 bytes_remaining = get_bcc(smb_buf);
1915 bcc_ptr = pByteArea(smb_buf);
1916 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1917 if (blob_len > bytes_remaining) {
1918 cifs_dbg(VFS, "bad security blob length %d\n",
1919 blob_len);
1920 rc = -EINVAL;
1921 goto out_free_ntlmsspblob;
1922 }
1923 bcc_ptr += blob_len;
1924 bytes_remaining -= blob_len;
1925
1926
1927 /* BB check if Unicode and decode strings */
1928 if (bytes_remaining == 0) {
1929 /* no string area to decode, do nothing */
1930 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1931 /* unicode string area must be word-aligned */
1932 if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1933 ++bcc_ptr;
1934 --bytes_remaining;
1935 }
1936 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1937 sess_data->nls_cp);
1938 } else {
1939 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1940 sess_data->nls_cp);
1941 }
1942
1943 out_free_ntlmsspblob:
1944 kfree_sensitive(ntlmsspblob);
1945 out:
1946 sess_free_buffer(sess_data);
1947
1948 if (!rc)
1949 rc = sess_establish_session(sess_data);
1950
1951 /* Cleanup */
1952 kfree_sensitive(ses->auth_key.response);
1953 ses->auth_key.response = NULL;
1954 kfree_sensitive(ses->ntlmssp);
1955 ses->ntlmssp = NULL;
1956
1957 sess_data->func = NULL;
1958 sess_data->result = rc;
1959 }
1960
select_sec(struct sess_data * sess_data)1961 static int select_sec(struct sess_data *sess_data)
1962 {
1963 int type;
1964 struct cifs_ses *ses = sess_data->ses;
1965 struct TCP_Server_Info *server = sess_data->server;
1966
1967 type = cifs_select_sectype(server, ses->sectype);
1968 cifs_dbg(FYI, "sess setup type %d\n", type);
1969 if (type == Unspecified) {
1970 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n");
1971 return -EINVAL;
1972 }
1973
1974 switch (type) {
1975 case NTLMv2:
1976 sess_data->func = sess_auth_ntlmv2;
1977 break;
1978 case Kerberos:
1979 #ifdef CONFIG_CIFS_UPCALL
1980 sess_data->func = sess_auth_kerberos;
1981 break;
1982 #else
1983 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1984 return -ENOSYS;
1985 #endif /* CONFIG_CIFS_UPCALL */
1986 case RawNTLMSSP:
1987 sess_data->func = sess_auth_rawntlmssp_negotiate;
1988 break;
1989 default:
1990 cifs_dbg(VFS, "secType %d not supported!\n", type);
1991 return -ENOSYS;
1992 }
1993
1994 return 0;
1995 }
1996
CIFS_SessSetup(const unsigned int xid,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1997 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
1998 struct TCP_Server_Info *server,
1999 const struct nls_table *nls_cp)
2000 {
2001 int rc = 0;
2002 struct sess_data *sess_data;
2003
2004 if (ses == NULL) {
2005 WARN(1, "%s: ses == NULL!", __func__);
2006 return -EINVAL;
2007 }
2008
2009 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
2010 if (!sess_data)
2011 return -ENOMEM;
2012
2013 sess_data->xid = xid;
2014 sess_data->ses = ses;
2015 sess_data->server = server;
2016 sess_data->buf0_type = CIFS_NO_BUFFER;
2017 sess_data->nls_cp = (struct nls_table *) nls_cp;
2018
2019 rc = select_sec(sess_data);
2020 if (rc)
2021 goto out;
2022
2023 while (sess_data->func)
2024 sess_data->func(sess_data);
2025
2026 /* Store result before we free sess_data */
2027 rc = sess_data->result;
2028
2029 out:
2030 kfree_sensitive(sess_data);
2031 return rc;
2032 }
2033 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
2034