1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3  *
4  *   SMB/CIFS session setup handling routines
5  *
6  *   Copyright (c) International Business Machines  Corp., 2006, 2009
7  *   Author(s): Steve French (sfrench@us.ibm.com)
8  *
9  */
10 
11 #include "cifspdu.h"
12 #include "cifsglob.h"
13 #include "cifsproto.h"
14 #include "cifs_unicode.h"
15 #include "cifs_debug.h"
16 #include "ntlmssp.h"
17 #include "nterr.h"
18 #include <linux/utsname.h>
19 #include <linux/slab.h>
20 #include <linux/version.h>
21 #include "cifsfs.h"
22 #include "cifs_spnego.h"
23 #include "smb2proto.h"
24 #include "fs_context.h"
25 
26 static int
27 cifs_ses_add_channel(struct cifs_ses *ses,
28 		     struct cifs_server_iface *iface);
29 
30 bool
is_server_using_iface(struct TCP_Server_Info * server,struct cifs_server_iface * iface)31 is_server_using_iface(struct TCP_Server_Info *server,
32 		      struct cifs_server_iface *iface)
33 {
34 	struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr;
35 	struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr;
36 	struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr;
37 	struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr;
38 
39 	if (server->dstaddr.ss_family != iface->sockaddr.ss_family)
40 		return false;
41 	if (server->dstaddr.ss_family == AF_INET) {
42 		if (s4->sin_addr.s_addr != i4->sin_addr.s_addr)
43 			return false;
44 	} else if (server->dstaddr.ss_family == AF_INET6) {
45 		if (memcmp(&s6->sin6_addr, &i6->sin6_addr,
46 			   sizeof(i6->sin6_addr)) != 0)
47 			return false;
48 	} else {
49 		/* unknown family.. */
50 		return false;
51 	}
52 	return true;
53 }
54 
is_ses_using_iface(struct cifs_ses * ses,struct cifs_server_iface * iface)55 bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface)
56 {
57 	int i;
58 
59 	spin_lock(&ses->chan_lock);
60 	for (i = 0; i < ses->chan_count; i++) {
61 		if (ses->chans[i].iface == iface) {
62 			spin_unlock(&ses->chan_lock);
63 			return true;
64 		}
65 	}
66 	spin_unlock(&ses->chan_lock);
67 	return false;
68 }
69 
70 /* channel helper functions. assumed that chan_lock is held by caller. */
71 
72 int
cifs_ses_get_chan_index(struct cifs_ses * ses,struct TCP_Server_Info * server)73 cifs_ses_get_chan_index(struct cifs_ses *ses,
74 			struct TCP_Server_Info *server)
75 {
76 	unsigned int i;
77 
78 	/* if the channel is waiting for termination */
79 	if (server && server->terminate)
80 		return CIFS_INVAL_CHAN_INDEX;
81 
82 	for (i = 0; i < ses->chan_count; i++) {
83 		if (ses->chans[i].server == server)
84 			return i;
85 	}
86 
87 	/* If we didn't find the channel, it is likely a bug */
88 	if (server)
89 		cifs_dbg(VFS, "unable to get chan index for server: 0x%llx",
90 			 server->conn_id);
91 	return CIFS_INVAL_CHAN_INDEX;
92 }
93 
94 void
cifs_chan_set_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)95 cifs_chan_set_in_reconnect(struct cifs_ses *ses,
96 			     struct TCP_Server_Info *server)
97 {
98 	int chan_index = cifs_ses_get_chan_index(ses, server);
99 
100 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
101 		return;
102 
103 	ses->chans[chan_index].in_reconnect = true;
104 }
105 
106 void
cifs_chan_clear_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)107 cifs_chan_clear_in_reconnect(struct cifs_ses *ses,
108 			     struct TCP_Server_Info *server)
109 {
110 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
111 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
112 		return;
113 
114 	ses->chans[chan_index].in_reconnect = false;
115 }
116 
117 bool
cifs_chan_in_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)118 cifs_chan_in_reconnect(struct cifs_ses *ses,
119 			  struct TCP_Server_Info *server)
120 {
121 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
122 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
123 		return true;	/* err on the safer side */
124 
125 	return CIFS_CHAN_IN_RECONNECT(ses, chan_index);
126 }
127 
128 void
cifs_chan_set_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)129 cifs_chan_set_need_reconnect(struct cifs_ses *ses,
130 			     struct TCP_Server_Info *server)
131 {
132 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
133 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
134 		return;
135 
136 	set_bit(chan_index, &ses->chans_need_reconnect);
137 	cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n",
138 		 chan_index, ses->chans_need_reconnect);
139 }
140 
141 void
cifs_chan_clear_need_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)142 cifs_chan_clear_need_reconnect(struct cifs_ses *ses,
143 			       struct TCP_Server_Info *server)
144 {
145 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
146 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
147 		return;
148 
149 	clear_bit(chan_index, &ses->chans_need_reconnect);
150 	cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n",
151 		 chan_index, ses->chans_need_reconnect);
152 }
153 
154 bool
cifs_chan_needs_reconnect(struct cifs_ses * ses,struct TCP_Server_Info * server)155 cifs_chan_needs_reconnect(struct cifs_ses *ses,
156 			  struct TCP_Server_Info *server)
157 {
158 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
159 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
160 		return true;	/* err on the safer side */
161 
162 	return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index);
163 }
164 
165 bool
cifs_chan_is_iface_active(struct cifs_ses * ses,struct TCP_Server_Info * server)166 cifs_chan_is_iface_active(struct cifs_ses *ses,
167 			  struct TCP_Server_Info *server)
168 {
169 	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
170 	if (chan_index == CIFS_INVAL_CHAN_INDEX)
171 		return true;	/* err on the safer side */
172 
173 	return ses->chans[chan_index].iface &&
174 		ses->chans[chan_index].iface->is_active;
175 }
176 
177 /* returns number of channels added */
cifs_try_adding_channels(struct cifs_ses * ses)178 int cifs_try_adding_channels(struct cifs_ses *ses)
179 {
180 	struct TCP_Server_Info *server = ses->server;
181 	int old_chan_count, new_chan_count;
182 	int left;
183 	int rc = 0;
184 	int tries = 0;
185 	size_t iface_weight = 0, iface_min_speed = 0;
186 	struct cifs_server_iface *iface = NULL, *niface = NULL;
187 	struct cifs_server_iface *last_iface = NULL;
188 
189 	spin_lock(&ses->chan_lock);
190 
191 	new_chan_count = old_chan_count = ses->chan_count;
192 	left = ses->chan_max - ses->chan_count;
193 
194 	if (left <= 0) {
195 		spin_unlock(&ses->chan_lock);
196 		cifs_dbg(FYI,
197 			 "ses already at max_channels (%zu), nothing to open\n",
198 			 ses->chan_max);
199 		return 0;
200 	}
201 
202 	if (server->dialect < SMB30_PROT_ID) {
203 		spin_unlock(&ses->chan_lock);
204 		cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
205 		return 0;
206 	}
207 
208 	if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
209 		spin_unlock(&ses->chan_lock);
210 		cifs_server_dbg(VFS, "no multichannel support\n");
211 		return 0;
212 	}
213 	spin_unlock(&ses->chan_lock);
214 
215 	while (left > 0) {
216 
217 		tries++;
218 		if (tries > 3*ses->chan_max) {
219 			cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n",
220 				 left);
221 			break;
222 		}
223 
224 		spin_lock(&ses->iface_lock);
225 		if (!ses->iface_count) {
226 			spin_unlock(&ses->iface_lock);
227 			cifs_dbg(VFS, "server %s does not advertise interfaces\n",
228 				      ses->server->hostname);
229 			break;
230 		}
231 
232 		if (!iface)
233 			iface = list_first_entry(&ses->iface_list, struct cifs_server_iface,
234 						 iface_head);
235 		last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
236 					     iface_head);
237 		iface_min_speed = last_iface->speed;
238 
239 		list_for_each_entry_safe_from(iface, niface, &ses->iface_list,
240 				    iface_head) {
241 			/* do not mix rdma and non-rdma interfaces */
242 			if (iface->rdma_capable != ses->server->rdma)
243 				continue;
244 
245 			/* skip ifaces that are unusable */
246 			if (!iface->is_active ||
247 			    (is_ses_using_iface(ses, iface) &&
248 			     !iface->rss_capable))
249 				continue;
250 
251 			/* check if we already allocated enough channels */
252 			iface_weight = iface->speed / iface_min_speed;
253 
254 			if (iface->weight_fulfilled >= iface_weight)
255 				continue;
256 
257 			/* take ref before unlock */
258 			kref_get(&iface->refcount);
259 
260 			spin_unlock(&ses->iface_lock);
261 			rc = cifs_ses_add_channel(ses, iface);
262 			spin_lock(&ses->iface_lock);
263 
264 			if (rc) {
265 				cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n",
266 					 &iface->sockaddr,
267 					 rc);
268 				kref_put(&iface->refcount, release_iface);
269 				/* failure to add chan should increase weight */
270 				iface->weight_fulfilled++;
271 				continue;
272 			}
273 
274 			iface->num_channels++;
275 			iface->weight_fulfilled++;
276 			cifs_dbg(VFS, "successfully opened new channel on iface:%pIS\n",
277 				 &iface->sockaddr);
278 			break;
279 		}
280 
281 		/* reached end of list. reset weight_fulfilled and start over */
282 		if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
283 			list_for_each_entry(iface, &ses->iface_list, iface_head)
284 				iface->weight_fulfilled = 0;
285 			spin_unlock(&ses->iface_lock);
286 			iface = NULL;
287 			continue;
288 		}
289 		spin_unlock(&ses->iface_lock);
290 
291 		left--;
292 		new_chan_count++;
293 	}
294 
295 	return new_chan_count - old_chan_count;
296 }
297 
298 /*
299  * called when multichannel is disabled by the server.
300  * this always gets called from smb2_reconnect
301  * and cannot get called in parallel threads.
302  */
303 void
cifs_disable_secondary_channels(struct cifs_ses * ses)304 cifs_disable_secondary_channels(struct cifs_ses *ses)
305 {
306 	int i, chan_count;
307 	struct TCP_Server_Info *server;
308 	struct cifs_server_iface *iface;
309 
310 	spin_lock(&ses->chan_lock);
311 	chan_count = ses->chan_count;
312 	if (chan_count == 1)
313 		goto done;
314 
315 	ses->chan_count = 1;
316 
317 	/* for all secondary channels reset the need reconnect bit */
318 	ses->chans_need_reconnect &= 1;
319 
320 	for (i = 1; i < chan_count; i++) {
321 		iface = ses->chans[i].iface;
322 		server = ses->chans[i].server;
323 
324 		/*
325 		 * remove these references first, since we need to unlock
326 		 * the chan_lock here, since iface_lock is a higher lock
327 		 */
328 		ses->chans[i].iface = NULL;
329 		ses->chans[i].server = NULL;
330 		spin_unlock(&ses->chan_lock);
331 
332 		if (iface) {
333 			spin_lock(&ses->iface_lock);
334 			kref_put(&iface->refcount, release_iface);
335 			iface->num_channels--;
336 			if (iface->weight_fulfilled)
337 				iface->weight_fulfilled--;
338 			spin_unlock(&ses->iface_lock);
339 		}
340 
341 		if (server) {
342 			if (!server->terminate) {
343 				server->terminate = true;
344 				cifs_signal_cifsd_for_reconnect(server, false);
345 			}
346 			cifs_put_tcp_session(server, false);
347 		}
348 
349 		spin_lock(&ses->chan_lock);
350 	}
351 
352 done:
353 	spin_unlock(&ses->chan_lock);
354 }
355 
356 /*
357  * update the iface for the channel if necessary.
358  * will return 0 when iface is updated, 1 if removed, 2 otherwise
359  * Must be called with chan_lock held.
360  */
361 int
cifs_chan_update_iface(struct cifs_ses * ses,struct TCP_Server_Info * server)362 cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server)
363 {
364 	unsigned int chan_index;
365 	size_t iface_weight = 0, iface_min_speed = 0;
366 	struct cifs_server_iface *iface = NULL;
367 	struct cifs_server_iface *old_iface = NULL;
368 	struct cifs_server_iface *last_iface = NULL;
369 	struct sockaddr_storage ss;
370 	int rc = 0;
371 
372 	spin_lock(&ses->chan_lock);
373 	chan_index = cifs_ses_get_chan_index(ses, server);
374 	if (chan_index == CIFS_INVAL_CHAN_INDEX) {
375 		spin_unlock(&ses->chan_lock);
376 		return 0;
377 	}
378 
379 	if (ses->chans[chan_index].iface) {
380 		old_iface = ses->chans[chan_index].iface;
381 		if (old_iface->is_active) {
382 			spin_unlock(&ses->chan_lock);
383 			return 1;
384 		}
385 	}
386 	spin_unlock(&ses->chan_lock);
387 
388 	spin_lock(&server->srv_lock);
389 	ss = server->dstaddr;
390 	spin_unlock(&server->srv_lock);
391 
392 	spin_lock(&ses->iface_lock);
393 	if (!ses->iface_count) {
394 		spin_unlock(&ses->iface_lock);
395 		cifs_dbg(VFS, "server %s does not advertise interfaces\n", ses->server->hostname);
396 		return 0;
397 	}
398 
399 	last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
400 				     iface_head);
401 	iface_min_speed = last_iface->speed;
402 
403 	/* then look for a new one */
404 	list_for_each_entry(iface, &ses->iface_list, iface_head) {
405 		if (!chan_index) {
406 			/* if we're trying to get the updated iface for primary channel */
407 			if (!cifs_match_ipaddr((struct sockaddr *) &ss,
408 					       (struct sockaddr *) &iface->sockaddr))
409 				continue;
410 
411 			kref_get(&iface->refcount);
412 			break;
413 		}
414 
415 		/* do not mix rdma and non-rdma interfaces */
416 		if (iface->rdma_capable != server->rdma)
417 			continue;
418 
419 		if (!iface->is_active ||
420 		    (is_ses_using_iface(ses, iface) &&
421 		     !iface->rss_capable)) {
422 			continue;
423 		}
424 
425 		/* check if we already allocated enough channels */
426 		iface_weight = iface->speed / iface_min_speed;
427 
428 		if (iface->weight_fulfilled >= iface_weight)
429 			continue;
430 
431 		kref_get(&iface->refcount);
432 		break;
433 	}
434 
435 	if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
436 		rc = 1;
437 		iface = NULL;
438 		cifs_dbg(FYI, "unable to find a suitable iface\n");
439 	}
440 
441 	if (!chan_index && !iface) {
442 		cifs_dbg(FYI, "unable to get the interface matching: %pIS\n",
443 			 &ss);
444 		spin_unlock(&ses->iface_lock);
445 		return 0;
446 	}
447 
448 	/* now drop the ref to the current iface */
449 	if (old_iface && iface) {
450 		cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
451 			 &old_iface->sockaddr,
452 			 &iface->sockaddr);
453 
454 		old_iface->num_channels--;
455 		if (old_iface->weight_fulfilled)
456 			old_iface->weight_fulfilled--;
457 		iface->num_channels++;
458 		iface->weight_fulfilled++;
459 
460 		kref_put(&old_iface->refcount, release_iface);
461 	} else if (old_iface) {
462 		cifs_dbg(FYI, "releasing ref to iface: %pIS\n",
463 			 &old_iface->sockaddr);
464 
465 		old_iface->num_channels--;
466 		if (old_iface->weight_fulfilled)
467 			old_iface->weight_fulfilled--;
468 
469 		kref_put(&old_iface->refcount, release_iface);
470 	} else if (!chan_index) {
471 		/* special case: update interface for primary channel */
472 		cifs_dbg(FYI, "referencing primary channel iface: %pIS\n",
473 			 &iface->sockaddr);
474 		iface->num_channels++;
475 		iface->weight_fulfilled++;
476 	} else {
477 		WARN_ON(!iface);
478 		cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr);
479 	}
480 	spin_unlock(&ses->iface_lock);
481 
482 	spin_lock(&ses->chan_lock);
483 	chan_index = cifs_ses_get_chan_index(ses, server);
484 	if (chan_index == CIFS_INVAL_CHAN_INDEX) {
485 		spin_unlock(&ses->chan_lock);
486 		return 0;
487 	}
488 
489 	ses->chans[chan_index].iface = iface;
490 
491 	/* No iface is found. if secondary chan, drop connection */
492 	if (!iface && SERVER_IS_CHAN(server))
493 		ses->chans[chan_index].server = NULL;
494 
495 	spin_unlock(&ses->chan_lock);
496 
497 	if (!iface && SERVER_IS_CHAN(server))
498 		cifs_put_tcp_session(server, false);
499 
500 	return rc;
501 }
502 
503 /*
504  * If server is a channel of ses, return the corresponding enclosing
505  * cifs_chan otherwise return NULL.
506  */
507 struct cifs_chan *
cifs_ses_find_chan(struct cifs_ses * ses,struct TCP_Server_Info * server)508 cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server)
509 {
510 	int i;
511 
512 	spin_lock(&ses->chan_lock);
513 	for (i = 0; i < ses->chan_count; i++) {
514 		if (ses->chans[i].server == server) {
515 			spin_unlock(&ses->chan_lock);
516 			return &ses->chans[i];
517 		}
518 	}
519 	spin_unlock(&ses->chan_lock);
520 	return NULL;
521 }
522 
523 static int
cifs_ses_add_channel(struct cifs_ses * ses,struct cifs_server_iface * iface)524 cifs_ses_add_channel(struct cifs_ses *ses,
525 		     struct cifs_server_iface *iface)
526 {
527 	struct TCP_Server_Info *chan_server;
528 	struct cifs_chan *chan;
529 	struct smb3_fs_context *ctx;
530 	static const char unc_fmt[] = "\\%s\\foo";
531 	struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
532 	struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
533 	size_t len;
534 	int rc;
535 	unsigned int xid = get_xid();
536 
537 	if (iface->sockaddr.ss_family == AF_INET)
538 		cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
539 			 ses, iface->speed, iface->rdma_capable ? "yes" : "no",
540 			 &ipv4->sin_addr);
541 	else
542 		cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
543 			 ses, iface->speed, iface->rdma_capable ? "yes" : "no",
544 			 &ipv6->sin6_addr);
545 
546 	/*
547 	 * Setup a ctx with mostly the same info as the existing
548 	 * session and overwrite it with the requested iface data.
549 	 *
550 	 * We need to setup at least the fields used for negprot and
551 	 * sesssetup.
552 	 *
553 	 * We only need the ctx here, so we can reuse memory from
554 	 * the session and server without caring about memory
555 	 * management.
556 	 */
557 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
558 	if (!ctx) {
559 		rc = -ENOMEM;
560 		goto out_free_xid;
561 	}
562 
563 	/* Always make new connection for now (TODO?) */
564 	ctx->nosharesock = true;
565 
566 	/* Auth */
567 	ctx->domainauto = ses->domainAuto;
568 	ctx->domainname = ses->domainName;
569 
570 	/* no hostname for extra channels */
571 	ctx->server_hostname = "";
572 
573 	ctx->username = ses->user_name;
574 	ctx->password = ses->password;
575 	ctx->sectype = ses->sectype;
576 	ctx->sign = ses->sign;
577 
578 	/* UNC and paths */
579 	/* XXX: Use ses->server->hostname? */
580 	len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL;
581 	ctx->UNC = kzalloc(len, GFP_KERNEL);
582 	if (!ctx->UNC) {
583 		rc = -ENOMEM;
584 		goto out_free_ctx;
585 	}
586 	scnprintf(ctx->UNC, len, unc_fmt, ses->ip_addr);
587 	ctx->prepath = "";
588 
589 	/* Reuse same version as master connection */
590 	ctx->vals = ses->server->vals;
591 	ctx->ops = ses->server->ops;
592 
593 	ctx->noblocksnd = ses->server->noblocksnd;
594 	ctx->noautotune = ses->server->noautotune;
595 	ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
596 	ctx->echo_interval = ses->server->echo_interval / HZ;
597 	ctx->max_credits = ses->server->max_credits;
598 
599 	/*
600 	 * This will be used for encoding/decoding user/domain/pw
601 	 * during sess setup auth.
602 	 */
603 	ctx->local_nls = ses->local_nls;
604 
605 	/* Use RDMA if possible */
606 	ctx->rdma = iface->rdma_capable;
607 	memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr));
608 
609 	/* reuse master con client guid */
610 	memcpy(&ctx->client_guid, ses->server->client_guid,
611 	       sizeof(ctx->client_guid));
612 	ctx->use_client_guid = true;
613 
614 	chan_server = cifs_get_tcp_session(ctx, ses->server);
615 
616 	spin_lock(&ses->chan_lock);
617 	chan = &ses->chans[ses->chan_count];
618 	chan->server = chan_server;
619 	if (IS_ERR(chan->server)) {
620 		rc = PTR_ERR(chan->server);
621 		chan->server = NULL;
622 		spin_unlock(&ses->chan_lock);
623 		goto out;
624 	}
625 	chan->iface = iface;
626 	ses->chan_count++;
627 	atomic_set(&ses->chan_seq, 0);
628 
629 	/* Mark this channel as needing connect/setup */
630 	cifs_chan_set_need_reconnect(ses, chan->server);
631 
632 	spin_unlock(&ses->chan_lock);
633 
634 	mutex_lock(&ses->session_mutex);
635 	/*
636 	 * We need to allocate the server crypto now as we will need
637 	 * to sign packets before we generate the channel signing key
638 	 * (we sign with the session key)
639 	 */
640 	rc = smb311_crypto_shash_allocate(chan->server);
641 	if (rc) {
642 		cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
643 		mutex_unlock(&ses->session_mutex);
644 		goto out;
645 	}
646 
647 	rc = cifs_negotiate_protocol(xid, ses, chan->server);
648 	if (!rc)
649 		rc = cifs_setup_session(xid, ses, chan->server, ses->local_nls);
650 
651 	mutex_unlock(&ses->session_mutex);
652 
653 out:
654 	if (rc && chan->server) {
655 		cifs_put_tcp_session(chan->server, 0);
656 
657 		spin_lock(&ses->chan_lock);
658 
659 		/* we rely on all bits beyond chan_count to be clear */
660 		cifs_chan_clear_need_reconnect(ses, chan->server);
661 		ses->chan_count--;
662 		/*
663 		 * chan_count should never reach 0 as at least the primary
664 		 * channel is always allocated
665 		 */
666 		WARN_ON(ses->chan_count < 1);
667 		spin_unlock(&ses->chan_lock);
668 	}
669 
670 	kfree(ctx->UNC);
671 out_free_ctx:
672 	kfree(ctx);
673 out_free_xid:
674 	free_xid(xid);
675 	return rc;
676 }
677 
678 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
cifs_ssetup_hdr(struct cifs_ses * ses,struct TCP_Server_Info * server,SESSION_SETUP_ANDX * pSMB)679 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
680 			     struct TCP_Server_Info *server,
681 			     SESSION_SETUP_ANDX *pSMB)
682 {
683 	__u32 capabilities = 0;
684 
685 	/* init fields common to all four types of SessSetup */
686 	/* Note that offsets for first seven fields in req struct are same  */
687 	/*	in CIFS Specs so does not matter which of 3 forms of struct */
688 	/*	that we use in next few lines                               */
689 	/* Note that header is initialized to zero in header_assemble */
690 	pSMB->req.AndXCommand = 0xFF;
691 	pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
692 					CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
693 					USHRT_MAX));
694 	pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);
695 	pSMB->req.VcNumber = cpu_to_le16(1);
696 
697 	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
698 
699 	/* BB verify whether signing required on neg or just on auth frame
700 	   (and NTLM case) */
701 
702 	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
703 			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
704 
705 	if (server->sign)
706 		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
707 
708 	if (ses->capabilities & CAP_UNICODE) {
709 		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
710 		capabilities |= CAP_UNICODE;
711 	}
712 	if (ses->capabilities & CAP_STATUS32) {
713 		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
714 		capabilities |= CAP_STATUS32;
715 	}
716 	if (ses->capabilities & CAP_DFS) {
717 		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
718 		capabilities |= CAP_DFS;
719 	}
720 	if (ses->capabilities & CAP_UNIX)
721 		capabilities |= CAP_UNIX;
722 
723 	return capabilities;
724 }
725 
726 static void
unicode_oslm_strings(char ** pbcc_area,const struct nls_table * nls_cp)727 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
728 {
729 	char *bcc_ptr = *pbcc_area;
730 	int bytes_ret = 0;
731 
732 	/* Copy OS version */
733 	bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
734 				    nls_cp);
735 	bcc_ptr += 2 * bytes_ret;
736 	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
737 				    32, nls_cp);
738 	bcc_ptr += 2 * bytes_ret;
739 	bcc_ptr += 2; /* trailing null */
740 
741 	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
742 				    32, nls_cp);
743 	bcc_ptr += 2 * bytes_ret;
744 	bcc_ptr += 2; /* trailing null */
745 
746 	*pbcc_area = bcc_ptr;
747 }
748 
unicode_domain_string(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)749 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
750 				   const struct nls_table *nls_cp)
751 {
752 	char *bcc_ptr = *pbcc_area;
753 	int bytes_ret = 0;
754 
755 	/* copy domain */
756 	if (ses->domainName == NULL) {
757 		/* Sending null domain better than using a bogus domain name (as
758 		we did briefly in 2.6.18) since server will use its default */
759 		*bcc_ptr = 0;
760 		*(bcc_ptr+1) = 0;
761 		bytes_ret = 0;
762 	} else
763 		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
764 					    CIFS_MAX_DOMAINNAME_LEN, nls_cp);
765 	bcc_ptr += 2 * bytes_ret;
766 	bcc_ptr += 2;  /* account for null terminator */
767 
768 	*pbcc_area = bcc_ptr;
769 }
770 
unicode_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)771 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
772 				   const struct nls_table *nls_cp)
773 {
774 	char *bcc_ptr = *pbcc_area;
775 	int bytes_ret = 0;
776 
777 	/* BB FIXME add check that strings total less
778 	than 335 or will need to send them as arrays */
779 
780 	/* copy user */
781 	if (ses->user_name == NULL) {
782 		/* null user mount */
783 		*bcc_ptr = 0;
784 		*(bcc_ptr+1) = 0;
785 	} else {
786 		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
787 					    CIFS_MAX_USERNAME_LEN, nls_cp);
788 	}
789 	bcc_ptr += 2 * bytes_ret;
790 	bcc_ptr += 2; /* account for null termination */
791 
792 	unicode_domain_string(&bcc_ptr, ses, nls_cp);
793 	unicode_oslm_strings(&bcc_ptr, nls_cp);
794 
795 	*pbcc_area = bcc_ptr;
796 }
797 
ascii_ssetup_strings(char ** pbcc_area,struct cifs_ses * ses,const struct nls_table * nls_cp)798 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
799 				 const struct nls_table *nls_cp)
800 {
801 	char *bcc_ptr = *pbcc_area;
802 	int len;
803 
804 	/* copy user */
805 	/* BB what about null user mounts - check that we do this BB */
806 	/* copy user */
807 	if (ses->user_name != NULL) {
808 		len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
809 		if (WARN_ON_ONCE(len < 0))
810 			len = CIFS_MAX_USERNAME_LEN - 1;
811 		bcc_ptr += len;
812 	}
813 	/* else null user mount */
814 	*bcc_ptr = 0;
815 	bcc_ptr++; /* account for null termination */
816 
817 	/* copy domain */
818 	if (ses->domainName != NULL) {
819 		len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
820 		if (WARN_ON_ONCE(len < 0))
821 			len = CIFS_MAX_DOMAINNAME_LEN - 1;
822 		bcc_ptr += len;
823 	} /* else we will send a null domain name
824 	     so the server will default to its own domain */
825 	*bcc_ptr = 0;
826 	bcc_ptr++;
827 
828 	/* BB check for overflow here */
829 
830 	strcpy(bcc_ptr, "Linux version ");
831 	bcc_ptr += strlen("Linux version ");
832 	strcpy(bcc_ptr, init_utsname()->release);
833 	bcc_ptr += strlen(init_utsname()->release) + 1;
834 
835 	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
836 	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
837 
838 	*pbcc_area = bcc_ptr;
839 }
840 
841 static void
decode_unicode_ssetup(char ** pbcc_area,int bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)842 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
843 		      const struct nls_table *nls_cp)
844 {
845 	int len;
846 	char *data = *pbcc_area;
847 
848 	cifs_dbg(FYI, "bleft %d\n", bleft);
849 
850 	kfree(ses->serverOS);
851 	ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
852 	cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
853 	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
854 	data += len;
855 	bleft -= len;
856 	if (bleft <= 0)
857 		return;
858 
859 	kfree(ses->serverNOS);
860 	ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
861 	cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
862 	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
863 	data += len;
864 	bleft -= len;
865 	if (bleft <= 0)
866 		return;
867 
868 	kfree(ses->serverDomain);
869 	ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
870 	cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
871 
872 	return;
873 }
874 
decode_ascii_ssetup(char ** pbcc_area,__u16 bleft,struct cifs_ses * ses,const struct nls_table * nls_cp)875 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
876 				struct cifs_ses *ses,
877 				const struct nls_table *nls_cp)
878 {
879 	int len;
880 	char *bcc_ptr = *pbcc_area;
881 
882 	cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
883 
884 	len = strnlen(bcc_ptr, bleft);
885 	if (len >= bleft)
886 		return;
887 
888 	kfree(ses->serverOS);
889 
890 	ses->serverOS = kmalloc(len + 1, GFP_KERNEL);
891 	if (ses->serverOS) {
892 		memcpy(ses->serverOS, bcc_ptr, len);
893 		ses->serverOS[len] = 0;
894 		if (strncmp(ses->serverOS, "OS/2", 4) == 0)
895 			cifs_dbg(FYI, "OS/2 server\n");
896 	}
897 
898 	bcc_ptr += len + 1;
899 	bleft -= len + 1;
900 
901 	len = strnlen(bcc_ptr, bleft);
902 	if (len >= bleft)
903 		return;
904 
905 	kfree(ses->serverNOS);
906 
907 	ses->serverNOS = kmalloc(len + 1, GFP_KERNEL);
908 	if (ses->serverNOS) {
909 		memcpy(ses->serverNOS, bcc_ptr, len);
910 		ses->serverNOS[len] = 0;
911 	}
912 
913 	bcc_ptr += len + 1;
914 	bleft -= len + 1;
915 
916 	len = strnlen(bcc_ptr, bleft);
917 	if (len > bleft)
918 		return;
919 
920 	/* No domain field in LANMAN case. Domain is
921 	   returned by old servers in the SMB negprot response */
922 	/* BB For newer servers which do not support Unicode,
923 	   but thus do return domain here we could add parsing
924 	   for it later, but it is not very important */
925 	cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
926 }
927 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
928 
decode_ntlmssp_challenge(char * bcc_ptr,int blob_len,struct cifs_ses * ses)929 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
930 				    struct cifs_ses *ses)
931 {
932 	unsigned int tioffset; /* challenge message target info area */
933 	unsigned int tilen; /* challenge message target info area length  */
934 	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
935 	__u32 server_flags;
936 
937 	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
938 		cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
939 		return -EINVAL;
940 	}
941 
942 	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
943 		cifs_dbg(VFS, "blob signature incorrect %s\n",
944 			 pblob->Signature);
945 		return -EINVAL;
946 	}
947 	if (pblob->MessageType != NtLmChallenge) {
948 		cifs_dbg(VFS, "Incorrect message type %d\n",
949 			 pblob->MessageType);
950 		return -EINVAL;
951 	}
952 
953 	server_flags = le32_to_cpu(pblob->NegotiateFlags);
954 	cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__,
955 		 ses->ntlmssp->client_flags, server_flags);
956 
957 	if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) &&
958 	    (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) {
959 		cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n",
960 			 __func__);
961 		return -EINVAL;
962 	}
963 	if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) {
964 		cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__);
965 		return -EINVAL;
966 	}
967 	if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) {
968 		cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n",
969 			 __func__);
970 		return -EOPNOTSUPP;
971 	}
972 	if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
973 	    !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH))
974 		pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n",
975 			     __func__);
976 
977 	ses->ntlmssp->server_flags = server_flags;
978 
979 	memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
980 	/* In particular we can examine sign flags */
981 	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
982 		we must set the MIC field of the AUTHENTICATE_MESSAGE */
983 
984 	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
985 	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
986 	if (tioffset > blob_len || tioffset + tilen > blob_len) {
987 		cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
988 			 tioffset, tilen);
989 		return -EINVAL;
990 	}
991 	if (tilen) {
992 		kfree_sensitive(ses->auth_key.response);
993 		ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
994 						 GFP_KERNEL);
995 		if (!ses->auth_key.response) {
996 			cifs_dbg(VFS, "Challenge target info alloc failure\n");
997 			return -ENOMEM;
998 		}
999 		ses->auth_key.len = tilen;
1000 	}
1001 
1002 	return 0;
1003 }
1004 
size_of_ntlmssp_blob(struct cifs_ses * ses,int base_size)1005 static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size)
1006 {
1007 	int sz = base_size + ses->auth_key.len
1008 		- CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
1009 
1010 	if (ses->domainName)
1011 		sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
1012 	else
1013 		sz += sizeof(__le16);
1014 
1015 	if (ses->user_name)
1016 		sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
1017 	else
1018 		sz += sizeof(__le16);
1019 
1020 	if (ses->workstation_name[0])
1021 		sz += sizeof(__le16) * strnlen(ses->workstation_name,
1022 					       ntlmssp_workstation_name_size(ses));
1023 	else
1024 		sz += sizeof(__le16);
1025 
1026 	return sz;
1027 }
1028 
cifs_security_buffer_from_str(SECURITY_BUFFER * pbuf,char * str_value,int str_length,unsigned char * pstart,unsigned char ** pcur,const struct nls_table * nls_cp)1029 static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf,
1030 						 char *str_value,
1031 						 int str_length,
1032 						 unsigned char *pstart,
1033 						 unsigned char **pcur,
1034 						 const struct nls_table *nls_cp)
1035 {
1036 	unsigned char *tmp = pstart;
1037 	int len;
1038 
1039 	if (!pbuf)
1040 		return;
1041 
1042 	if (!pcur)
1043 		pcur = &tmp;
1044 
1045 	if (!str_value) {
1046 		pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1047 		pbuf->Length = 0;
1048 		pbuf->MaximumLength = 0;
1049 		*pcur += sizeof(__le16);
1050 	} else {
1051 		len = cifs_strtoUTF16((__le16 *)*pcur,
1052 				      str_value,
1053 				      str_length,
1054 				      nls_cp);
1055 		len *= sizeof(__le16);
1056 		pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1057 		pbuf->Length = cpu_to_le16(len);
1058 		pbuf->MaximumLength = cpu_to_le16(len);
1059 		*pcur += len;
1060 	}
1061 }
1062 
1063 /* BB Move to ntlmssp.c eventually */
1064 
build_ntlmssp_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1065 int build_ntlmssp_negotiate_blob(unsigned char **pbuffer,
1066 				 u16 *buflen,
1067 				 struct cifs_ses *ses,
1068 				 struct TCP_Server_Info *server,
1069 				 const struct nls_table *nls_cp)
1070 {
1071 	int rc = 0;
1072 	NEGOTIATE_MESSAGE *sec_blob;
1073 	__u32 flags;
1074 	unsigned char *tmp;
1075 	int len;
1076 
1077 	len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE));
1078 	*pbuffer = kmalloc(len, GFP_KERNEL);
1079 	if (!*pbuffer) {
1080 		rc = -ENOMEM;
1081 		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1082 		*buflen = 0;
1083 		goto setup_ntlm_neg_ret;
1084 	}
1085 	sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer;
1086 
1087 	memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
1088 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1089 	sec_blob->MessageType = NtLmNegotiate;
1090 
1091 	/* BB is NTLMV2 session security format easier to use here? */
1092 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
1093 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1094 		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1095 		NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1096 		NTLMSSP_NEGOTIATE_SIGN;
1097 	if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1098 		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1099 
1100 	tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE);
1101 	ses->ntlmssp->client_flags = flags;
1102 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1103 
1104 	/* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1105 	cifs_security_buffer_from_str(&sec_blob->DomainName,
1106 				      NULL,
1107 				      CIFS_MAX_DOMAINNAME_LEN,
1108 				      *pbuffer, &tmp,
1109 				      nls_cp);
1110 
1111 	cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1112 				      NULL,
1113 				      CIFS_MAX_WORKSTATION_LEN,
1114 				      *pbuffer, &tmp,
1115 				      nls_cp);
1116 
1117 	*buflen = tmp - *pbuffer;
1118 setup_ntlm_neg_ret:
1119 	return rc;
1120 }
1121 
1122 /*
1123  * Build ntlmssp blob with additional fields, such as version,
1124  * supported by modern servers. For safety limit to SMB3 or later
1125  * See notes in MS-NLMP Section 2.2.2.1 e.g.
1126  */
build_ntlmssp_smb3_negotiate_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1127 int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
1128 				 u16 *buflen,
1129 				 struct cifs_ses *ses,
1130 				 struct TCP_Server_Info *server,
1131 				 const struct nls_table *nls_cp)
1132 {
1133 	int rc = 0;
1134 	struct negotiate_message *sec_blob;
1135 	__u32 flags;
1136 	unsigned char *tmp;
1137 	int len;
1138 
1139 	len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message));
1140 	*pbuffer = kmalloc(len, GFP_KERNEL);
1141 	if (!*pbuffer) {
1142 		rc = -ENOMEM;
1143 		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1144 		*buflen = 0;
1145 		goto setup_ntlm_smb3_neg_ret;
1146 	}
1147 	sec_blob = (struct negotiate_message *)*pbuffer;
1148 
1149 	memset(*pbuffer, 0, sizeof(struct negotiate_message));
1150 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1151 	sec_blob->MessageType = NtLmNegotiate;
1152 
1153 	/* BB is NTLMV2 session security format easier to use here? */
1154 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
1155 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
1156 		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
1157 		NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL |
1158 		NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION;
1159 	if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
1160 		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
1161 
1162 	sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1163 	sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1164 	sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1165 	sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1166 
1167 	tmp = *pbuffer + sizeof(struct negotiate_message);
1168 	ses->ntlmssp->client_flags = flags;
1169 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1170 
1171 	/* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */
1172 	cifs_security_buffer_from_str(&sec_blob->DomainName,
1173 				      NULL,
1174 				      CIFS_MAX_DOMAINNAME_LEN,
1175 				      *pbuffer, &tmp,
1176 				      nls_cp);
1177 
1178 	cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1179 				      NULL,
1180 				      CIFS_MAX_WORKSTATION_LEN,
1181 				      *pbuffer, &tmp,
1182 				      nls_cp);
1183 
1184 	*buflen = tmp - *pbuffer;
1185 setup_ntlm_smb3_neg_ret:
1186 	return rc;
1187 }
1188 
1189 
1190 /* See MS-NLMP 2.2.1.3 */
build_ntlmssp_auth_blob(unsigned char ** pbuffer,u16 * buflen,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1191 int build_ntlmssp_auth_blob(unsigned char **pbuffer,
1192 					u16 *buflen,
1193 				   struct cifs_ses *ses,
1194 				   struct TCP_Server_Info *server,
1195 				   const struct nls_table *nls_cp)
1196 {
1197 	int rc;
1198 	AUTHENTICATE_MESSAGE *sec_blob;
1199 	__u32 flags;
1200 	unsigned char *tmp;
1201 	int len;
1202 
1203 	rc = setup_ntlmv2_rsp(ses, nls_cp);
1204 	if (rc) {
1205 		cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
1206 		*buflen = 0;
1207 		goto setup_ntlmv2_ret;
1208 	}
1209 
1210 	len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE));
1211 	*pbuffer = kmalloc(len, GFP_KERNEL);
1212 	if (!*pbuffer) {
1213 		rc = -ENOMEM;
1214 		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1215 		*buflen = 0;
1216 		goto setup_ntlmv2_ret;
1217 	}
1218 	sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
1219 
1220 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
1221 	sec_blob->MessageType = NtLmAuthenticate;
1222 
1223 	flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET |
1224 		NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
1225 	/* we only send version information in ntlmssp negotiate, so do not set this flag */
1226 	flags = flags & ~NTLMSSP_NEGOTIATE_VERSION;
1227 	tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
1228 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1229 
1230 	sec_blob->LmChallengeResponse.BufferOffset =
1231 				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
1232 	sec_blob->LmChallengeResponse.Length = 0;
1233 	sec_blob->LmChallengeResponse.MaximumLength = 0;
1234 
1235 	sec_blob->NtChallengeResponse.BufferOffset =
1236 				cpu_to_le32(tmp - *pbuffer);
1237 	if (ses->user_name != NULL) {
1238 		memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1239 				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1240 		tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1241 
1242 		sec_blob->NtChallengeResponse.Length =
1243 				cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1244 		sec_blob->NtChallengeResponse.MaximumLength =
1245 				cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1246 	} else {
1247 		/*
1248 		 * don't send an NT Response for anonymous access
1249 		 */
1250 		sec_blob->NtChallengeResponse.Length = 0;
1251 		sec_blob->NtChallengeResponse.MaximumLength = 0;
1252 	}
1253 
1254 	cifs_security_buffer_from_str(&sec_blob->DomainName,
1255 				      ses->domainName,
1256 				      CIFS_MAX_DOMAINNAME_LEN,
1257 				      *pbuffer, &tmp,
1258 				      nls_cp);
1259 
1260 	cifs_security_buffer_from_str(&sec_blob->UserName,
1261 				      ses->user_name,
1262 				      CIFS_MAX_USERNAME_LEN,
1263 				      *pbuffer, &tmp,
1264 				      nls_cp);
1265 
1266 	cifs_security_buffer_from_str(&sec_blob->WorkstationName,
1267 				      ses->workstation_name,
1268 				      ntlmssp_workstation_name_size(ses),
1269 				      *pbuffer, &tmp,
1270 				      nls_cp);
1271 
1272 	if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
1273 	    (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) &&
1274 	    !calc_seckey(ses)) {
1275 		memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
1276 		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1277 		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
1278 		sec_blob->SessionKey.MaximumLength =
1279 				cpu_to_le16(CIFS_CPHTXT_SIZE);
1280 		tmp += CIFS_CPHTXT_SIZE;
1281 	} else {
1282 		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1283 		sec_blob->SessionKey.Length = 0;
1284 		sec_blob->SessionKey.MaximumLength = 0;
1285 	}
1286 
1287 	*buflen = tmp - *pbuffer;
1288 setup_ntlmv2_ret:
1289 	return rc;
1290 }
1291 
1292 enum securityEnum
cifs_select_sectype(struct TCP_Server_Info * server,enum securityEnum requested)1293 cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
1294 {
1295 	switch (server->negflavor) {
1296 	case CIFS_NEGFLAVOR_EXTENDED:
1297 		switch (requested) {
1298 		case Kerberos:
1299 		case RawNTLMSSP:
1300 			return requested;
1301 		case Unspecified:
1302 			if (server->sec_ntlmssp &&
1303 			    (global_secflags & CIFSSEC_MAY_NTLMSSP))
1304 				return RawNTLMSSP;
1305 			if ((server->sec_kerberos || server->sec_mskerberos) &&
1306 			    (global_secflags & CIFSSEC_MAY_KRB5))
1307 				return Kerberos;
1308 			fallthrough;
1309 		default:
1310 			return Unspecified;
1311 		}
1312 	case CIFS_NEGFLAVOR_UNENCAP:
1313 		switch (requested) {
1314 		case NTLMv2:
1315 			return requested;
1316 		case Unspecified:
1317 			if (global_secflags & CIFSSEC_MAY_NTLMV2)
1318 				return NTLMv2;
1319 			break;
1320 		default:
1321 			break;
1322 		}
1323 		fallthrough;
1324 	default:
1325 		return Unspecified;
1326 	}
1327 }
1328 
1329 struct sess_data {
1330 	unsigned int xid;
1331 	struct cifs_ses *ses;
1332 	struct TCP_Server_Info *server;
1333 	struct nls_table *nls_cp;
1334 	void (*func)(struct sess_data *);
1335 	int result;
1336 
1337 	/* we will send the SMB in three pieces:
1338 	 * a fixed length beginning part, an optional
1339 	 * SPNEGO blob (which can be zero length), and a
1340 	 * last part which will include the strings
1341 	 * and rest of bcc area. This allows us to avoid
1342 	 * a large buffer 17K allocation
1343 	 */
1344 	int buf0_type;
1345 	struct kvec iov[3];
1346 };
1347 
1348 #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
1349 static int
sess_alloc_buffer(struct sess_data * sess_data,int wct)1350 sess_alloc_buffer(struct sess_data *sess_data, int wct)
1351 {
1352 	int rc;
1353 	struct cifs_ses *ses = sess_data->ses;
1354 	struct smb_hdr *smb_buf;
1355 
1356 	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
1357 				  (void **)&smb_buf);
1358 
1359 	if (rc)
1360 		return rc;
1361 
1362 	sess_data->iov[0].iov_base = (char *)smb_buf;
1363 	sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
1364 	/*
1365 	 * This variable will be used to clear the buffer
1366 	 * allocated above in case of any error in the calling function.
1367 	 */
1368 	sess_data->buf0_type = CIFS_SMALL_BUFFER;
1369 
1370 	/* 2000 big enough to fit max user, domain, NOS name etc. */
1371 	sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL);
1372 	if (!sess_data->iov[2].iov_base) {
1373 		rc = -ENOMEM;
1374 		goto out_free_smb_buf;
1375 	}
1376 
1377 	return 0;
1378 
1379 out_free_smb_buf:
1380 	cifs_small_buf_release(smb_buf);
1381 	sess_data->iov[0].iov_base = NULL;
1382 	sess_data->iov[0].iov_len = 0;
1383 	sess_data->buf0_type = CIFS_NO_BUFFER;
1384 	return rc;
1385 }
1386 
1387 static void
sess_free_buffer(struct sess_data * sess_data)1388 sess_free_buffer(struct sess_data *sess_data)
1389 {
1390 	struct kvec *iov = sess_data->iov;
1391 
1392 	/*
1393 	 * Zero the session data before freeing, as it might contain sensitive info (keys, etc).
1394 	 * Note that iov[1] is already freed by caller.
1395 	 */
1396 	if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base)
1397 		memzero_explicit(iov[0].iov_base, iov[0].iov_len);
1398 
1399 	free_rsp_buf(sess_data->buf0_type, iov[0].iov_base);
1400 	sess_data->buf0_type = CIFS_NO_BUFFER;
1401 	kfree_sensitive(iov[2].iov_base);
1402 }
1403 
1404 static int
sess_establish_session(struct sess_data * sess_data)1405 sess_establish_session(struct sess_data *sess_data)
1406 {
1407 	struct cifs_ses *ses = sess_data->ses;
1408 	struct TCP_Server_Info *server = sess_data->server;
1409 
1410 	cifs_server_lock(server);
1411 	if (!server->session_estab) {
1412 		if (server->sign) {
1413 			server->session_key.response =
1414 				kmemdup(ses->auth_key.response,
1415 				ses->auth_key.len, GFP_KERNEL);
1416 			if (!server->session_key.response) {
1417 				cifs_server_unlock(server);
1418 				return -ENOMEM;
1419 			}
1420 			server->session_key.len =
1421 						ses->auth_key.len;
1422 		}
1423 		server->sequence_number = 0x2;
1424 		server->session_estab = true;
1425 	}
1426 	cifs_server_unlock(server);
1427 
1428 	cifs_dbg(FYI, "CIFS session established successfully\n");
1429 	return 0;
1430 }
1431 
1432 static int
sess_sendreceive(struct sess_data * sess_data)1433 sess_sendreceive(struct sess_data *sess_data)
1434 {
1435 	int rc;
1436 	struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base;
1437 	__u16 count;
1438 	struct kvec rsp_iov = { NULL, 0 };
1439 
1440 	count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len;
1441 	be32_add_cpu(&smb_buf->smb_buf_length, count);
1442 	put_bcc(count, smb_buf);
1443 
1444 	rc = SendReceive2(sess_data->xid, sess_data->ses,
1445 			  sess_data->iov, 3 /* num_iovecs */,
1446 			  &sess_data->buf0_type,
1447 			  CIFS_LOG_ERROR, &rsp_iov);
1448 	cifs_small_buf_release(sess_data->iov[0].iov_base);
1449 	memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec));
1450 
1451 	return rc;
1452 }
1453 
1454 static void
sess_auth_ntlmv2(struct sess_data * sess_data)1455 sess_auth_ntlmv2(struct sess_data *sess_data)
1456 {
1457 	int rc = 0;
1458 	struct smb_hdr *smb_buf;
1459 	SESSION_SETUP_ANDX *pSMB;
1460 	char *bcc_ptr;
1461 	struct cifs_ses *ses = sess_data->ses;
1462 	struct TCP_Server_Info *server = sess_data->server;
1463 	__u32 capabilities;
1464 	__u16 bytes_remaining;
1465 
1466 	/* old style NTLM sessionsetup */
1467 	/* wct = 13 */
1468 	rc = sess_alloc_buffer(sess_data, 13);
1469 	if (rc)
1470 		goto out;
1471 
1472 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1473 	bcc_ptr = sess_data->iov[2].iov_base;
1474 	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1475 
1476 	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1477 
1478 	/* LM2 password would be here if we supported it */
1479 	pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
1480 
1481 	if (ses->user_name != NULL) {
1482 		/* calculate nlmv2 response and session key */
1483 		rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
1484 		if (rc) {
1485 			cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
1486 			goto out;
1487 		}
1488 
1489 		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1490 				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1491 		bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1492 
1493 		/* set case sensitive password length after tilen may get
1494 		 * assigned, tilen is 0 otherwise.
1495 		 */
1496 		pSMB->req_no_secext.CaseSensitivePasswordLength =
1497 			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1498 	} else {
1499 		pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
1500 	}
1501 
1502 	if (ses->capabilities & CAP_UNICODE) {
1503 		if (!IS_ALIGNED(sess_data->iov[0].iov_len, 2)) {
1504 			*bcc_ptr = 0;
1505 			bcc_ptr++;
1506 		}
1507 		unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1508 	} else {
1509 		ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1510 	}
1511 
1512 
1513 	sess_data->iov[2].iov_len = (long) bcc_ptr -
1514 			(long) sess_data->iov[2].iov_base;
1515 
1516 	rc = sess_sendreceive(sess_data);
1517 	if (rc)
1518 		goto out;
1519 
1520 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1521 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1522 
1523 	if (smb_buf->WordCount != 3) {
1524 		rc = -EIO;
1525 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1526 		goto out;
1527 	}
1528 
1529 	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1530 		cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1531 
1532 	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1533 	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1534 
1535 	bytes_remaining = get_bcc(smb_buf);
1536 	bcc_ptr = pByteArea(smb_buf);
1537 
1538 	/* BB check if Unicode and decode strings */
1539 	if (bytes_remaining == 0) {
1540 		/* no string area to decode, do nothing */
1541 	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1542 		/* unicode string area must be word-aligned */
1543 		if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1544 			++bcc_ptr;
1545 			--bytes_remaining;
1546 		}
1547 		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1548 				      sess_data->nls_cp);
1549 	} else {
1550 		decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1551 				    sess_data->nls_cp);
1552 	}
1553 
1554 	rc = sess_establish_session(sess_data);
1555 out:
1556 	sess_data->result = rc;
1557 	sess_data->func = NULL;
1558 	sess_free_buffer(sess_data);
1559 	kfree_sensitive(ses->auth_key.response);
1560 	ses->auth_key.response = NULL;
1561 }
1562 
1563 #ifdef CONFIG_CIFS_UPCALL
1564 static void
sess_auth_kerberos(struct sess_data * sess_data)1565 sess_auth_kerberos(struct sess_data *sess_data)
1566 {
1567 	int rc = 0;
1568 	struct smb_hdr *smb_buf;
1569 	SESSION_SETUP_ANDX *pSMB;
1570 	char *bcc_ptr;
1571 	struct cifs_ses *ses = sess_data->ses;
1572 	struct TCP_Server_Info *server = sess_data->server;
1573 	__u32 capabilities;
1574 	__u16 bytes_remaining;
1575 	struct key *spnego_key = NULL;
1576 	struct cifs_spnego_msg *msg;
1577 	u16 blob_len;
1578 
1579 	/* extended security */
1580 	/* wct = 12 */
1581 	rc = sess_alloc_buffer(sess_data, 12);
1582 	if (rc)
1583 		goto out;
1584 
1585 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1586 	bcc_ptr = sess_data->iov[2].iov_base;
1587 	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1588 
1589 	spnego_key = cifs_get_spnego_key(ses, server);
1590 	if (IS_ERR(spnego_key)) {
1591 		rc = PTR_ERR(spnego_key);
1592 		spnego_key = NULL;
1593 		goto out;
1594 	}
1595 
1596 	msg = spnego_key->payload.data[0];
1597 	/*
1598 	 * check version field to make sure that cifs.upcall is
1599 	 * sending us a response in an expected form
1600 	 */
1601 	if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
1602 		cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n",
1603 			 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1604 		rc = -EKEYREJECTED;
1605 		goto out_put_spnego_key;
1606 	}
1607 
1608 	kfree_sensitive(ses->auth_key.response);
1609 	ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1610 					 GFP_KERNEL);
1611 	if (!ses->auth_key.response) {
1612 		cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
1613 			 msg->sesskey_len);
1614 		rc = -ENOMEM;
1615 		goto out_put_spnego_key;
1616 	}
1617 	ses->auth_key.len = msg->sesskey_len;
1618 
1619 	pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1620 	capabilities |= CAP_EXTENDED_SECURITY;
1621 	pSMB->req.Capabilities = cpu_to_le32(capabilities);
1622 	sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
1623 	sess_data->iov[1].iov_len = msg->secblob_len;
1624 	pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
1625 
1626 	if (ses->capabilities & CAP_UNICODE) {
1627 		/* unicode strings must be word aligned */
1628 		if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1629 			*bcc_ptr = 0;
1630 			bcc_ptr++;
1631 		}
1632 		unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1633 		unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1634 	} else {
1635 		/* BB: is this right? */
1636 		ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1637 	}
1638 
1639 	sess_data->iov[2].iov_len = (long) bcc_ptr -
1640 			(long) sess_data->iov[2].iov_base;
1641 
1642 	rc = sess_sendreceive(sess_data);
1643 	if (rc)
1644 		goto out_put_spnego_key;
1645 
1646 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1647 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1648 
1649 	if (smb_buf->WordCount != 4) {
1650 		rc = -EIO;
1651 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1652 		goto out_put_spnego_key;
1653 	}
1654 
1655 	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1656 		cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1657 
1658 	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1659 	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1660 
1661 	bytes_remaining = get_bcc(smb_buf);
1662 	bcc_ptr = pByteArea(smb_buf);
1663 
1664 	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1665 	if (blob_len > bytes_remaining) {
1666 		cifs_dbg(VFS, "bad security blob length %d\n",
1667 				blob_len);
1668 		rc = -EINVAL;
1669 		goto out_put_spnego_key;
1670 	}
1671 	bcc_ptr += blob_len;
1672 	bytes_remaining -= blob_len;
1673 
1674 	/* BB check if Unicode and decode strings */
1675 	if (bytes_remaining == 0) {
1676 		/* no string area to decode, do nothing */
1677 	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1678 		/* unicode string area must be word-aligned */
1679 		if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1680 			++bcc_ptr;
1681 			--bytes_remaining;
1682 		}
1683 		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1684 				      sess_data->nls_cp);
1685 	} else {
1686 		decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1687 				    sess_data->nls_cp);
1688 	}
1689 
1690 	rc = sess_establish_session(sess_data);
1691 out_put_spnego_key:
1692 	key_invalidate(spnego_key);
1693 	key_put(spnego_key);
1694 out:
1695 	sess_data->result = rc;
1696 	sess_data->func = NULL;
1697 	sess_free_buffer(sess_data);
1698 	kfree_sensitive(ses->auth_key.response);
1699 	ses->auth_key.response = NULL;
1700 }
1701 
1702 #endif /* ! CONFIG_CIFS_UPCALL */
1703 
1704 /*
1705  * The required kvec buffers have to be allocated before calling this
1706  * function.
1707  */
1708 static int
_sess_auth_rawntlmssp_assemble_req(struct sess_data * sess_data)1709 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1710 {
1711 	SESSION_SETUP_ANDX *pSMB;
1712 	struct cifs_ses *ses = sess_data->ses;
1713 	struct TCP_Server_Info *server = sess_data->server;
1714 	__u32 capabilities;
1715 	char *bcc_ptr;
1716 
1717 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1718 
1719 	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1720 	if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
1721 		cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
1722 		return -ENOSYS;
1723 	}
1724 
1725 	pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1726 	capabilities |= CAP_EXTENDED_SECURITY;
1727 	pSMB->req.Capabilities |= cpu_to_le32(capabilities);
1728 
1729 	bcc_ptr = sess_data->iov[2].iov_base;
1730 	/* unicode strings must be word aligned */
1731 	if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
1732 		*bcc_ptr = 0;
1733 		bcc_ptr++;
1734 	}
1735 	unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1736 
1737 	sess_data->iov[2].iov_len = (long) bcc_ptr -
1738 					(long) sess_data->iov[2].iov_base;
1739 
1740 	return 0;
1741 }
1742 
1743 static void
1744 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1745 
1746 static void
sess_auth_rawntlmssp_negotiate(struct sess_data * sess_data)1747 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1748 {
1749 	int rc;
1750 	struct smb_hdr *smb_buf;
1751 	SESSION_SETUP_ANDX *pSMB;
1752 	struct cifs_ses *ses = sess_data->ses;
1753 	struct TCP_Server_Info *server = sess_data->server;
1754 	__u16 bytes_remaining;
1755 	char *bcc_ptr;
1756 	unsigned char *ntlmsspblob = NULL;
1757 	u16 blob_len;
1758 
1759 	cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1760 
1761 	/*
1762 	 * if memory allocation is successful, caller of this function
1763 	 * frees it.
1764 	 */
1765 	ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1766 	if (!ses->ntlmssp) {
1767 		rc = -ENOMEM;
1768 		goto out;
1769 	}
1770 	ses->ntlmssp->sesskey_per_smbsess = false;
1771 
1772 	/* wct = 12 */
1773 	rc = sess_alloc_buffer(sess_data, 12);
1774 	if (rc)
1775 		goto out;
1776 
1777 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1778 
1779 	/* Build security blob before we assemble the request */
1780 	rc = build_ntlmssp_negotiate_blob(&ntlmsspblob,
1781 				     &blob_len, ses, server,
1782 				     sess_data->nls_cp);
1783 	if (rc)
1784 		goto out_free_ntlmsspblob;
1785 
1786 	sess_data->iov[1].iov_len = blob_len;
1787 	sess_data->iov[1].iov_base = ntlmsspblob;
1788 	pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1789 
1790 	rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1791 	if (rc)
1792 		goto out_free_ntlmsspblob;
1793 
1794 	rc = sess_sendreceive(sess_data);
1795 
1796 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1797 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1798 
1799 	/* If true, rc here is expected and not an error */
1800 	if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1801 	    smb_buf->Status.CifsError ==
1802 			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1803 		rc = 0;
1804 
1805 	if (rc)
1806 		goto out_free_ntlmsspblob;
1807 
1808 	cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1809 
1810 	if (smb_buf->WordCount != 4) {
1811 		rc = -EIO;
1812 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1813 		goto out_free_ntlmsspblob;
1814 	}
1815 
1816 	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1817 	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1818 
1819 	bytes_remaining = get_bcc(smb_buf);
1820 	bcc_ptr = pByteArea(smb_buf);
1821 
1822 	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1823 	if (blob_len > bytes_remaining) {
1824 		cifs_dbg(VFS, "bad security blob length %d\n",
1825 				blob_len);
1826 		rc = -EINVAL;
1827 		goto out_free_ntlmsspblob;
1828 	}
1829 
1830 	rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1831 
1832 out_free_ntlmsspblob:
1833 	kfree_sensitive(ntlmsspblob);
1834 out:
1835 	sess_free_buffer(sess_data);
1836 
1837 	if (!rc) {
1838 		sess_data->func = sess_auth_rawntlmssp_authenticate;
1839 		return;
1840 	}
1841 
1842 	/* Else error. Cleanup */
1843 	kfree_sensitive(ses->auth_key.response);
1844 	ses->auth_key.response = NULL;
1845 	kfree_sensitive(ses->ntlmssp);
1846 	ses->ntlmssp = NULL;
1847 
1848 	sess_data->func = NULL;
1849 	sess_data->result = rc;
1850 }
1851 
1852 static void
sess_auth_rawntlmssp_authenticate(struct sess_data * sess_data)1853 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1854 {
1855 	int rc;
1856 	struct smb_hdr *smb_buf;
1857 	SESSION_SETUP_ANDX *pSMB;
1858 	struct cifs_ses *ses = sess_data->ses;
1859 	struct TCP_Server_Info *server = sess_data->server;
1860 	__u16 bytes_remaining;
1861 	char *bcc_ptr;
1862 	unsigned char *ntlmsspblob = NULL;
1863 	u16 blob_len;
1864 
1865 	cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1866 
1867 	/* wct = 12 */
1868 	rc = sess_alloc_buffer(sess_data, 12);
1869 	if (rc)
1870 		goto out;
1871 
1872 	/* Build security blob before we assemble the request */
1873 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1874 	smb_buf = (struct smb_hdr *)pSMB;
1875 	rc = build_ntlmssp_auth_blob(&ntlmsspblob,
1876 					&blob_len, ses, server,
1877 					sess_data->nls_cp);
1878 	if (rc)
1879 		goto out_free_ntlmsspblob;
1880 	sess_data->iov[1].iov_len = blob_len;
1881 	sess_data->iov[1].iov_base = ntlmsspblob;
1882 	pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1883 	/*
1884 	 * Make sure that we tell the server that we are using
1885 	 * the uid that it just gave us back on the response
1886 	 * (challenge)
1887 	 */
1888 	smb_buf->Uid = ses->Suid;
1889 
1890 	rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1891 	if (rc)
1892 		goto out_free_ntlmsspblob;
1893 
1894 	rc = sess_sendreceive(sess_data);
1895 	if (rc)
1896 		goto out_free_ntlmsspblob;
1897 
1898 	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1899 	smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1900 	if (smb_buf->WordCount != 4) {
1901 		rc = -EIO;
1902 		cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1903 		goto out_free_ntlmsspblob;
1904 	}
1905 
1906 	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1907 		cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1908 
1909 	if (ses->Suid != smb_buf->Uid) {
1910 		ses->Suid = smb_buf->Uid;
1911 		cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1912 	}
1913 
1914 	bytes_remaining = get_bcc(smb_buf);
1915 	bcc_ptr = pByteArea(smb_buf);
1916 	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1917 	if (blob_len > bytes_remaining) {
1918 		cifs_dbg(VFS, "bad security blob length %d\n",
1919 				blob_len);
1920 		rc = -EINVAL;
1921 		goto out_free_ntlmsspblob;
1922 	}
1923 	bcc_ptr += blob_len;
1924 	bytes_remaining -= blob_len;
1925 
1926 
1927 	/* BB check if Unicode and decode strings */
1928 	if (bytes_remaining == 0) {
1929 		/* no string area to decode, do nothing */
1930 	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1931 		/* unicode string area must be word-aligned */
1932 		if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, 2)) {
1933 			++bcc_ptr;
1934 			--bytes_remaining;
1935 		}
1936 		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1937 				      sess_data->nls_cp);
1938 	} else {
1939 		decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1940 				    sess_data->nls_cp);
1941 	}
1942 
1943 out_free_ntlmsspblob:
1944 	kfree_sensitive(ntlmsspblob);
1945 out:
1946 	sess_free_buffer(sess_data);
1947 
1948 	if (!rc)
1949 		rc = sess_establish_session(sess_data);
1950 
1951 	/* Cleanup */
1952 	kfree_sensitive(ses->auth_key.response);
1953 	ses->auth_key.response = NULL;
1954 	kfree_sensitive(ses->ntlmssp);
1955 	ses->ntlmssp = NULL;
1956 
1957 	sess_data->func = NULL;
1958 	sess_data->result = rc;
1959 }
1960 
select_sec(struct sess_data * sess_data)1961 static int select_sec(struct sess_data *sess_data)
1962 {
1963 	int type;
1964 	struct cifs_ses *ses = sess_data->ses;
1965 	struct TCP_Server_Info *server = sess_data->server;
1966 
1967 	type = cifs_select_sectype(server, ses->sectype);
1968 	cifs_dbg(FYI, "sess setup type %d\n", type);
1969 	if (type == Unspecified) {
1970 		cifs_dbg(VFS, "Unable to select appropriate authentication method!\n");
1971 		return -EINVAL;
1972 	}
1973 
1974 	switch (type) {
1975 	case NTLMv2:
1976 		sess_data->func = sess_auth_ntlmv2;
1977 		break;
1978 	case Kerberos:
1979 #ifdef CONFIG_CIFS_UPCALL
1980 		sess_data->func = sess_auth_kerberos;
1981 		break;
1982 #else
1983 		cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1984 		return -ENOSYS;
1985 #endif /* CONFIG_CIFS_UPCALL */
1986 	case RawNTLMSSP:
1987 		sess_data->func = sess_auth_rawntlmssp_negotiate;
1988 		break;
1989 	default:
1990 		cifs_dbg(VFS, "secType %d not supported!\n", type);
1991 		return -ENOSYS;
1992 	}
1993 
1994 	return 0;
1995 }
1996 
CIFS_SessSetup(const unsigned int xid,struct cifs_ses * ses,struct TCP_Server_Info * server,const struct nls_table * nls_cp)1997 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
1998 		   struct TCP_Server_Info *server,
1999 		   const struct nls_table *nls_cp)
2000 {
2001 	int rc = 0;
2002 	struct sess_data *sess_data;
2003 
2004 	if (ses == NULL) {
2005 		WARN(1, "%s: ses == NULL!", __func__);
2006 		return -EINVAL;
2007 	}
2008 
2009 	sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
2010 	if (!sess_data)
2011 		return -ENOMEM;
2012 
2013 	sess_data->xid = xid;
2014 	sess_data->ses = ses;
2015 	sess_data->server = server;
2016 	sess_data->buf0_type = CIFS_NO_BUFFER;
2017 	sess_data->nls_cp = (struct nls_table *) nls_cp;
2018 
2019 	rc = select_sec(sess_data);
2020 	if (rc)
2021 		goto out;
2022 
2023 	while (sess_data->func)
2024 		sess_data->func(sess_data);
2025 
2026 	/* Store result before we free sess_data */
2027 	rc = sess_data->result;
2028 
2029 out:
2030 	kfree_sensitive(sess_data);
2031 	return rc;
2032 }
2033 #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
2034