sess.c (49428B)
1// SPDX-License-Identifier: LGPL-2.1 2/* 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 */ 10 11#include "cifspdu.h" 12#include "cifsglob.h" 13#include "cifsproto.h" 14#include "cifs_unicode.h" 15#include "cifs_debug.h" 16#include "ntlmssp.h" 17#include "nterr.h" 18#include <linux/utsname.h> 19#include <linux/slab.h> 20#include <linux/version.h> 21#include "cifsfs.h" 22#include "cifs_spnego.h" 23#include "smb2proto.h" 24#include "fs_context.h" 25 26static int 27cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses, 28 struct cifs_server_iface *iface); 29 30bool 31is_server_using_iface(struct TCP_Server_Info *server, 32 struct cifs_server_iface *iface) 33{ 34 struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr; 35 struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr; 36 struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr; 37 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr; 38 39 if (server->dstaddr.ss_family != iface->sockaddr.ss_family) 40 return false; 41 if (server->dstaddr.ss_family == AF_INET) { 42 if (s4->sin_addr.s_addr != i4->sin_addr.s_addr) 43 return false; 44 } else if (server->dstaddr.ss_family == AF_INET6) { 45 if (memcmp(&s6->sin6_addr, &i6->sin6_addr, 46 sizeof(i6->sin6_addr)) != 0) 47 return false; 48 } else { 49 /* unknown family.. */ 50 return false; 51 } 52 return true; 53} 54 55bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface) 56{ 57 int i; 58 59 spin_lock(&ses->chan_lock); 60 for (i = 0; i < ses->chan_count; i++) { 61 if (ses->chans[i].iface == iface) { 62 spin_unlock(&ses->chan_lock); 63 return true; 64 } 65 } 66 spin_unlock(&ses->chan_lock); 67 return false; 68} 69 70/* channel helper functions. assumed that chan_lock is held by caller. */ 71 72unsigned int 73cifs_ses_get_chan_index(struct cifs_ses *ses, 74 struct TCP_Server_Info *server) 75{ 76 unsigned int i; 77 78 for (i = 0; i < ses->chan_count; i++) { 79 if (ses->chans[i].server == server) 80 return i; 81 } 82 83 /* If we didn't find the channel, it is likely a bug */ 84 if (server) 85 cifs_dbg(VFS, "unable to get chan index for server: 0x%llx", 86 server->conn_id); 87 WARN_ON(1); 88 return 0; 89} 90 91void 92cifs_chan_set_in_reconnect(struct cifs_ses *ses, 93 struct TCP_Server_Info *server) 94{ 95 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 96 97 ses->chans[chan_index].in_reconnect = true; 98} 99 100void 101cifs_chan_clear_in_reconnect(struct cifs_ses *ses, 102 struct TCP_Server_Info *server) 103{ 104 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 105 106 ses->chans[chan_index].in_reconnect = false; 107} 108 109bool 110cifs_chan_in_reconnect(struct cifs_ses *ses, 111 struct TCP_Server_Info *server) 112{ 113 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 114 115 return CIFS_CHAN_IN_RECONNECT(ses, chan_index); 116} 117 118void 119cifs_chan_set_need_reconnect(struct cifs_ses *ses, 120 struct TCP_Server_Info *server) 121{ 122 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 123 124 set_bit(chan_index, &ses->chans_need_reconnect); 125 cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n", 126 chan_index, ses->chans_need_reconnect); 127} 128 129void 130cifs_chan_clear_need_reconnect(struct cifs_ses *ses, 131 struct TCP_Server_Info *server) 132{ 133 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 134 135 clear_bit(chan_index, &ses->chans_need_reconnect); 136 cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n", 137 chan_index, ses->chans_need_reconnect); 138} 139 140bool 141cifs_chan_needs_reconnect(struct cifs_ses *ses, 142 struct TCP_Server_Info *server) 143{ 144 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 145 146 return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index); 147} 148 149bool 150cifs_chan_is_iface_active(struct cifs_ses *ses, 151 struct TCP_Server_Info *server) 152{ 153 unsigned int chan_index = cifs_ses_get_chan_index(ses, server); 154 155 return ses->chans[chan_index].iface && 156 ses->chans[chan_index].iface->is_active; 157} 158 159/* returns number of channels added */ 160int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses) 161{ 162 int old_chan_count, new_chan_count; 163 int left; 164 int rc = 0; 165 int tries = 0; 166 struct cifs_server_iface *iface = NULL, *niface = NULL; 167 168 spin_lock(&ses->chan_lock); 169 170 new_chan_count = old_chan_count = ses->chan_count; 171 left = ses->chan_max - ses->chan_count; 172 173 if (left <= 0) { 174 spin_unlock(&ses->chan_lock); 175 cifs_dbg(FYI, 176 "ses already at max_channels (%zu), nothing to open\n", 177 ses->chan_max); 178 return 0; 179 } 180 181 if (ses->server->dialect < SMB30_PROT_ID) { 182 spin_unlock(&ses->chan_lock); 183 cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); 184 return 0; 185 } 186 187 if (!(ses->server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { 188 ses->chan_max = 1; 189 spin_unlock(&ses->chan_lock); 190 cifs_dbg(VFS, "server %s does not support multichannel\n", ses->server->hostname); 191 return 0; 192 } 193 spin_unlock(&ses->chan_lock); 194 195 /* 196 * Keep connecting to same, fastest, iface for all channels as 197 * long as its RSS. Try next fastest one if not RSS or channel 198 * creation fails. 199 */ 200 spin_lock(&ses->iface_lock); 201 iface = list_first_entry(&ses->iface_list, struct cifs_server_iface, 202 iface_head); 203 spin_unlock(&ses->iface_lock); 204 205 while (left > 0) { 206 207 tries++; 208 if (tries > 3*ses->chan_max) { 209 cifs_dbg(FYI, "too many channel open attempts (%d channels left to open)\n", 210 left); 211 break; 212 } 213 214 spin_lock(&ses->iface_lock); 215 if (!ses->iface_count) { 216 spin_unlock(&ses->iface_lock); 217 break; 218 } 219 220 list_for_each_entry_safe_from(iface, niface, &ses->iface_list, 221 iface_head) { 222 /* skip ifaces that are unusable */ 223 if (!iface->is_active || 224 (is_ses_using_iface(ses, iface) && 225 !iface->rss_capable)) { 226 continue; 227 } 228 229 /* take ref before unlock */ 230 kref_get(&iface->refcount); 231 232 spin_unlock(&ses->iface_lock); 233 rc = cifs_ses_add_channel(cifs_sb, ses, iface); 234 spin_lock(&ses->iface_lock); 235 236 if (rc) { 237 cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n", 238 &iface->sockaddr, 239 rc); 240 kref_put(&iface->refcount, release_iface); 241 continue; 242 } 243 244 cifs_dbg(FYI, "successfully opened new channel on iface:%pIS\n", 245 &iface->sockaddr); 246 break; 247 } 248 spin_unlock(&ses->iface_lock); 249 250 left--; 251 new_chan_count++; 252 } 253 254 return new_chan_count - old_chan_count; 255} 256 257/* 258 * update the iface for the channel if necessary. 259 * will return 0 when iface is updated, 1 if removed, 2 otherwise 260 * Must be called with chan_lock held. 261 */ 262int 263cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) 264{ 265 unsigned int chan_index; 266 struct cifs_server_iface *iface = NULL; 267 struct cifs_server_iface *old_iface = NULL; 268 int rc = 0; 269 270 spin_lock(&ses->chan_lock); 271 chan_index = cifs_ses_get_chan_index(ses, server); 272 if (!chan_index) { 273 spin_unlock(&ses->chan_lock); 274 return 0; 275 } 276 277 if (ses->chans[chan_index].iface) { 278 old_iface = ses->chans[chan_index].iface; 279 if (old_iface->is_active) { 280 spin_unlock(&ses->chan_lock); 281 return 1; 282 } 283 } 284 spin_unlock(&ses->chan_lock); 285 286 spin_lock(&ses->iface_lock); 287 /* then look for a new one */ 288 list_for_each_entry(iface, &ses->iface_list, iface_head) { 289 if (!iface->is_active || 290 (is_ses_using_iface(ses, iface) && 291 !iface->rss_capable)) { 292 continue; 293 } 294 kref_get(&iface->refcount); 295 } 296 297 if (!list_entry_is_head(iface, &ses->iface_list, iface_head)) { 298 rc = 1; 299 iface = NULL; 300 cifs_dbg(FYI, "unable to find a suitable iface\n"); 301 } 302 303 /* now drop the ref to the current iface */ 304 if (old_iface && iface) { 305 kref_put(&old_iface->refcount, release_iface); 306 cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", 307 &old_iface->sockaddr, 308 &iface->sockaddr); 309 } else if (old_iface) { 310 kref_put(&old_iface->refcount, release_iface); 311 cifs_dbg(FYI, "releasing ref to iface: %pIS\n", 312 &old_iface->sockaddr); 313 } else { 314 WARN_ON(!iface); 315 cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr); 316 } 317 spin_unlock(&ses->iface_lock); 318 319 spin_lock(&ses->chan_lock); 320 chan_index = cifs_ses_get_chan_index(ses, server); 321 ses->chans[chan_index].iface = iface; 322 323 /* No iface is found. if secondary chan, drop connection */ 324 if (!iface && CIFS_SERVER_IS_CHAN(server)) 325 ses->chans[chan_index].server = NULL; 326 327 spin_unlock(&ses->chan_lock); 328 329 if (!iface && CIFS_SERVER_IS_CHAN(server)) 330 cifs_put_tcp_session(server, false); 331 332 return rc; 333} 334 335/* 336 * If server is a channel of ses, return the corresponding enclosing 337 * cifs_chan otherwise return NULL. 338 */ 339struct cifs_chan * 340cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server) 341{ 342 int i; 343 344 spin_lock(&ses->chan_lock); 345 for (i = 0; i < ses->chan_count; i++) { 346 if (ses->chans[i].server == server) { 347 spin_unlock(&ses->chan_lock); 348 return &ses->chans[i]; 349 } 350 } 351 spin_unlock(&ses->chan_lock); 352 return NULL; 353} 354 355static int 356cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses, 357 struct cifs_server_iface *iface) 358{ 359 struct TCP_Server_Info *chan_server; 360 struct cifs_chan *chan; 361 struct smb3_fs_context ctx = {NULL}; 362 static const char unc_fmt[] = "\\%s\\foo"; 363 char unc[sizeof(unc_fmt)+SERVER_NAME_LEN_WITH_NULL] = {0}; 364 struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr; 365 struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr; 366 int rc; 367 unsigned int xid = get_xid(); 368 369 if (iface->sockaddr.ss_family == AF_INET) 370 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n", 371 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 372 &ipv4->sin_addr); 373 else 374 cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n", 375 ses, iface->speed, iface->rdma_capable ? "yes" : "no", 376 &ipv6->sin6_addr); 377 378 /* 379 * Setup a ctx with mostly the same info as the existing 380 * session and overwrite it with the requested iface data. 381 * 382 * We need to setup at least the fields used for negprot and 383 * sesssetup. 384 * 385 * We only need the ctx here, so we can reuse memory from 386 * the session and server without caring about memory 387 * management. 388 */ 389 390 /* Always make new connection for now (TODO?) */ 391 ctx.nosharesock = true; 392 393 /* Auth */ 394 ctx.domainauto = ses->domainAuto; 395 ctx.domainname = ses->domainName; 396 397 /* no hostname for extra channels */ 398 ctx.server_hostname = ""; 399 400 ctx.username = ses->user_name; 401 ctx.password = ses->password; 402 ctx.sectype = ses->sectype; 403 ctx.sign = ses->sign; 404 405 /* UNC and paths */ 406 /* XXX: Use ses->server->hostname? */ 407 sprintf(unc, unc_fmt, ses->ip_addr); 408 ctx.UNC = unc; 409 ctx.prepath = ""; 410 411 /* Reuse same version as master connection */ 412 ctx.vals = ses->server->vals; 413 ctx.ops = ses->server->ops; 414 415 ctx.noblocksnd = ses->server->noblocksnd; 416 ctx.noautotune = ses->server->noautotune; 417 ctx.sockopt_tcp_nodelay = ses->server->tcp_nodelay; 418 ctx.echo_interval = ses->server->echo_interval / HZ; 419 ctx.max_credits = ses->server->max_credits; 420 421 /* 422 * This will be used for encoding/decoding user/domain/pw 423 * during sess setup auth. 424 */ 425 ctx.local_nls = cifs_sb->local_nls; 426 427 /* Use RDMA if possible */ 428 ctx.rdma = iface->rdma_capable; 429 memcpy(&ctx.dstaddr, &iface->sockaddr, sizeof(struct sockaddr_storage)); 430 431 /* reuse master con client guid */ 432 memcpy(&ctx.client_guid, ses->server->client_guid, 433 SMB2_CLIENT_GUID_SIZE); 434 ctx.use_client_guid = true; 435 436 chan_server = cifs_get_tcp_session(&ctx, ses->server); 437 438 spin_lock(&ses->chan_lock); 439 chan = &ses->chans[ses->chan_count]; 440 chan->server = chan_server; 441 if (IS_ERR(chan->server)) { 442 rc = PTR_ERR(chan->server); 443 chan->server = NULL; 444 spin_unlock(&ses->chan_lock); 445 goto out; 446 } 447 chan->iface = iface; 448 ses->chan_count++; 449 atomic_set(&ses->chan_seq, 0); 450 451 /* Mark this channel as needing connect/setup */ 452 cifs_chan_set_need_reconnect(ses, chan->server); 453 454 spin_unlock(&ses->chan_lock); 455 456 mutex_lock(&ses->session_mutex); 457 /* 458 * We need to allocate the server crypto now as we will need 459 * to sign packets before we generate the channel signing key 460 * (we sign with the session key) 461 */ 462 rc = smb311_crypto_shash_allocate(chan->server); 463 if (rc) { 464 cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__); 465 mutex_unlock(&ses->session_mutex); 466 goto out; 467 } 468 469 rc = cifs_negotiate_protocol(xid, ses, chan->server); 470 if (!rc) 471 rc = cifs_setup_session(xid, ses, chan->server, cifs_sb->local_nls); 472 473 mutex_unlock(&ses->session_mutex); 474 475out: 476 if (rc && chan->server) { 477 spin_lock(&ses->chan_lock); 478 /* we rely on all bits beyond chan_count to be clear */ 479 cifs_chan_clear_need_reconnect(ses, chan->server); 480 ses->chan_count--; 481 /* 482 * chan_count should never reach 0 as at least the primary 483 * channel is always allocated 484 */ 485 WARN_ON(ses->chan_count < 1); 486 spin_unlock(&ses->chan_lock); 487 } 488 489 if (rc && chan->server) 490 cifs_put_tcp_session(chan->server, 0); 491 492 return rc; 493} 494 495static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, 496 struct TCP_Server_Info *server, 497 SESSION_SETUP_ANDX *pSMB) 498{ 499 __u32 capabilities = 0; 500 501 /* init fields common to all four types of SessSetup */ 502 /* Note that offsets for first seven fields in req struct are same */ 503 /* in CIFS Specs so does not matter which of 3 forms of struct */ 504 /* that we use in next few lines */ 505 /* Note that header is initialized to zero in header_assemble */ 506 pSMB->req.AndXCommand = 0xFF; 507 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 508 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 509 USHRT_MAX)); 510 pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); 511 pSMB->req.VcNumber = cpu_to_le16(1); 512 513 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 514 515 /* BB verify whether signing required on neg or just on auth frame 516 (and NTLM case) */ 517 518 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 519 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 520 521 if (server->sign) 522 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 523 524 if (ses->capabilities & CAP_UNICODE) { 525 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 526 capabilities |= CAP_UNICODE; 527 } 528 if (ses->capabilities & CAP_STATUS32) { 529 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 530 capabilities |= CAP_STATUS32; 531 } 532 if (ses->capabilities & CAP_DFS) { 533 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 534 capabilities |= CAP_DFS; 535 } 536 if (ses->capabilities & CAP_UNIX) 537 capabilities |= CAP_UNIX; 538 539 return capabilities; 540} 541 542static void 543unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 544{ 545 char *bcc_ptr = *pbcc_area; 546 int bytes_ret = 0; 547 548 /* Copy OS version */ 549 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 550 nls_cp); 551 bcc_ptr += 2 * bytes_ret; 552 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 553 32, nls_cp); 554 bcc_ptr += 2 * bytes_ret; 555 bcc_ptr += 2; /* trailing null */ 556 557 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 558 32, nls_cp); 559 bcc_ptr += 2 * bytes_ret; 560 bcc_ptr += 2; /* trailing null */ 561 562 *pbcc_area = bcc_ptr; 563} 564 565static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 566 const struct nls_table *nls_cp) 567{ 568 char *bcc_ptr = *pbcc_area; 569 int bytes_ret = 0; 570 571 /* copy domain */ 572 if (ses->domainName == NULL) { 573 /* Sending null domain better than using a bogus domain name (as 574 we did briefly in 2.6.18) since server will use its default */ 575 *bcc_ptr = 0; 576 *(bcc_ptr+1) = 0; 577 bytes_ret = 0; 578 } else 579 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 580 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 581 bcc_ptr += 2 * bytes_ret; 582 bcc_ptr += 2; /* account for null terminator */ 583 584 *pbcc_area = bcc_ptr; 585} 586 587 588static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 589 const struct nls_table *nls_cp) 590{ 591 char *bcc_ptr = *pbcc_area; 592 int bytes_ret = 0; 593 594 /* BB FIXME add check that strings total less 595 than 335 or will need to send them as arrays */ 596 597 /* unicode strings, must be word aligned before the call */ 598/* if ((long) bcc_ptr % 2) { 599 *bcc_ptr = 0; 600 bcc_ptr++; 601 } */ 602 /* copy user */ 603 if (ses->user_name == NULL) { 604 /* null user mount */ 605 *bcc_ptr = 0; 606 *(bcc_ptr+1) = 0; 607 } else { 608 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 609 CIFS_MAX_USERNAME_LEN, nls_cp); 610 } 611 bcc_ptr += 2 * bytes_ret; 612 bcc_ptr += 2; /* account for null termination */ 613 614 unicode_domain_string(&bcc_ptr, ses, nls_cp); 615 unicode_oslm_strings(&bcc_ptr, nls_cp); 616 617 *pbcc_area = bcc_ptr; 618} 619 620static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 621 const struct nls_table *nls_cp) 622{ 623 char *bcc_ptr = *pbcc_area; 624 int len; 625 626 /* copy user */ 627 /* BB what about null user mounts - check that we do this BB */ 628 /* copy user */ 629 if (ses->user_name != NULL) { 630 len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 631 if (WARN_ON_ONCE(len < 0)) 632 len = CIFS_MAX_USERNAME_LEN - 1; 633 bcc_ptr += len; 634 } 635 /* else null user mount */ 636 *bcc_ptr = 0; 637 bcc_ptr++; /* account for null termination */ 638 639 /* copy domain */ 640 if (ses->domainName != NULL) { 641 len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 642 if (WARN_ON_ONCE(len < 0)) 643 len = CIFS_MAX_DOMAINNAME_LEN - 1; 644 bcc_ptr += len; 645 } /* else we will send a null domain name 646 so the server will default to its own domain */ 647 *bcc_ptr = 0; 648 bcc_ptr++; 649 650 /* BB check for overflow here */ 651 652 strcpy(bcc_ptr, "Linux version "); 653 bcc_ptr += strlen("Linux version "); 654 strcpy(bcc_ptr, init_utsname()->release); 655 bcc_ptr += strlen(init_utsname()->release) + 1; 656 657 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 658 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 659 660 *pbcc_area = bcc_ptr; 661} 662 663static void 664decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 665 const struct nls_table *nls_cp) 666{ 667 int len; 668 char *data = *pbcc_area; 669 670 cifs_dbg(FYI, "bleft %d\n", bleft); 671 672 kfree(ses->serverOS); 673 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 674 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 675 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 676 data += len; 677 bleft -= len; 678 if (bleft <= 0) 679 return; 680 681 kfree(ses->serverNOS); 682 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 683 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 684 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 685 data += len; 686 bleft -= len; 687 if (bleft <= 0) 688 return; 689 690 kfree(ses->serverDomain); 691 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 692 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 693 694 return; 695} 696 697static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 698 struct cifs_ses *ses, 699 const struct nls_table *nls_cp) 700{ 701 int len; 702 char *bcc_ptr = *pbcc_area; 703 704 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 705 706 len = strnlen(bcc_ptr, bleft); 707 if (len >= bleft) 708 return; 709 710 kfree(ses->serverOS); 711 712 ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 713 if (ses->serverOS) { 714 memcpy(ses->serverOS, bcc_ptr, len); 715 ses->serverOS[len] = 0; 716 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 717 cifs_dbg(FYI, "OS/2 server\n"); 718 } 719 720 bcc_ptr += len + 1; 721 bleft -= len + 1; 722 723 len = strnlen(bcc_ptr, bleft); 724 if (len >= bleft) 725 return; 726 727 kfree(ses->serverNOS); 728 729 ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 730 if (ses->serverNOS) { 731 memcpy(ses->serverNOS, bcc_ptr, len); 732 ses->serverNOS[len] = 0; 733 } 734 735 bcc_ptr += len + 1; 736 bleft -= len + 1; 737 738 len = strnlen(bcc_ptr, bleft); 739 if (len > bleft) 740 return; 741 742 /* No domain field in LANMAN case. Domain is 743 returned by old servers in the SMB negprot response */ 744 /* BB For newer servers which do not support Unicode, 745 but thus do return domain here we could add parsing 746 for it later, but it is not very important */ 747 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 748} 749 750int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 751 struct cifs_ses *ses) 752{ 753 unsigned int tioffset; /* challenge message target info area */ 754 unsigned int tilen; /* challenge message target info area length */ 755 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 756 __u32 server_flags; 757 758 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 759 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 760 return -EINVAL; 761 } 762 763 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 764 cifs_dbg(VFS, "blob signature incorrect %s\n", 765 pblob->Signature); 766 return -EINVAL; 767 } 768 if (pblob->MessageType != NtLmChallenge) { 769 cifs_dbg(VFS, "Incorrect message type %d\n", 770 pblob->MessageType); 771 return -EINVAL; 772 } 773 774 server_flags = le32_to_cpu(pblob->NegotiateFlags); 775 cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__, 776 ses->ntlmssp->client_flags, server_flags); 777 778 if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN)) && 779 (!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) { 780 cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n", 781 __func__); 782 return -EINVAL; 783 } 784 if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) { 785 cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__); 786 return -EINVAL; 787 } 788 if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) { 789 cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n", 790 __func__); 791 return -EOPNOTSUPP; 792 } 793 if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 794 !(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH)) 795 pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n", 796 __func__); 797 798 ses->ntlmssp->server_flags = server_flags; 799 800 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 801 /* In particular we can examine sign flags */ 802 /* BB spec says that if AvId field of MsvAvTimestamp is populated then 803 we must set the MIC field of the AUTHENTICATE_MESSAGE */ 804 805 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 806 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 807 if (tioffset > blob_len || tioffset + tilen > blob_len) { 808 cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n", 809 tioffset, tilen); 810 return -EINVAL; 811 } 812 if (tilen) { 813 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 814 GFP_KERNEL); 815 if (!ses->auth_key.response) { 816 cifs_dbg(VFS, "Challenge target info alloc failure\n"); 817 return -ENOMEM; 818 } 819 ses->auth_key.len = tilen; 820 } 821 822 return 0; 823} 824 825static int size_of_ntlmssp_blob(struct cifs_ses *ses, int base_size) 826{ 827 int sz = base_size + ses->auth_key.len 828 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 829 830 if (ses->domainName) 831 sz += sizeof(__le16) * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 832 else 833 sz += sizeof(__le16); 834 835 if (ses->user_name) 836 sz += sizeof(__le16) * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 837 else 838 sz += sizeof(__le16); 839 840 if (ses->workstation_name[0]) 841 sz += sizeof(__le16) * strnlen(ses->workstation_name, 842 ntlmssp_workstation_name_size(ses)); 843 else 844 sz += sizeof(__le16); 845 846 return sz; 847} 848 849static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf, 850 char *str_value, 851 int str_length, 852 unsigned char *pstart, 853 unsigned char **pcur, 854 const struct nls_table *nls_cp) 855{ 856 unsigned char *tmp = pstart; 857 int len; 858 859 if (!pbuf) 860 return; 861 862 if (!pcur) 863 pcur = &tmp; 864 865 if (!str_value) { 866 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 867 pbuf->Length = 0; 868 pbuf->MaximumLength = 0; 869 *pcur += sizeof(__le16); 870 } else { 871 len = cifs_strtoUTF16((__le16 *)*pcur, 872 str_value, 873 str_length, 874 nls_cp); 875 len *= sizeof(__le16); 876 pbuf->BufferOffset = cpu_to_le32(*pcur - pstart); 877 pbuf->Length = cpu_to_le16(len); 878 pbuf->MaximumLength = cpu_to_le16(len); 879 *pcur += len; 880 } 881} 882 883/* BB Move to ntlmssp.c eventually */ 884 885int build_ntlmssp_negotiate_blob(unsigned char **pbuffer, 886 u16 *buflen, 887 struct cifs_ses *ses, 888 struct TCP_Server_Info *server, 889 const struct nls_table *nls_cp) 890{ 891 int rc = 0; 892 NEGOTIATE_MESSAGE *sec_blob; 893 __u32 flags; 894 unsigned char *tmp; 895 int len; 896 897 len = size_of_ntlmssp_blob(ses, sizeof(NEGOTIATE_MESSAGE)); 898 *pbuffer = kmalloc(len, GFP_KERNEL); 899 if (!*pbuffer) { 900 rc = -ENOMEM; 901 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 902 *buflen = 0; 903 goto setup_ntlm_neg_ret; 904 } 905 sec_blob = (NEGOTIATE_MESSAGE *)*pbuffer; 906 907 memset(*pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 908 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 909 sec_blob->MessageType = NtLmNegotiate; 910 911 /* BB is NTLMV2 session security format easier to use here? */ 912 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 913 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 914 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 915 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 916 NTLMSSP_NEGOTIATE_SIGN; 917 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 918 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 919 920 tmp = *pbuffer + sizeof(NEGOTIATE_MESSAGE); 921 ses->ntlmssp->client_flags = flags; 922 sec_blob->NegotiateFlags = cpu_to_le32(flags); 923 924 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 925 cifs_security_buffer_from_str(&sec_blob->DomainName, 926 NULL, 927 CIFS_MAX_DOMAINNAME_LEN, 928 *pbuffer, &tmp, 929 nls_cp); 930 931 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 932 NULL, 933 CIFS_MAX_WORKSTATION_LEN, 934 *pbuffer, &tmp, 935 nls_cp); 936 937 *buflen = tmp - *pbuffer; 938setup_ntlm_neg_ret: 939 return rc; 940} 941 942/* 943 * Build ntlmssp blob with additional fields, such as version, 944 * supported by modern servers. For safety limit to SMB3 or later 945 * See notes in MS-NLMP Section 2.2.2.1 e.g. 946 */ 947int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer, 948 u16 *buflen, 949 struct cifs_ses *ses, 950 struct TCP_Server_Info *server, 951 const struct nls_table *nls_cp) 952{ 953 int rc = 0; 954 struct negotiate_message *sec_blob; 955 __u32 flags; 956 unsigned char *tmp; 957 int len; 958 959 len = size_of_ntlmssp_blob(ses, sizeof(struct negotiate_message)); 960 *pbuffer = kmalloc(len, GFP_KERNEL); 961 if (!*pbuffer) { 962 rc = -ENOMEM; 963 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 964 *buflen = 0; 965 goto setup_ntlm_smb3_neg_ret; 966 } 967 sec_blob = (struct negotiate_message *)*pbuffer; 968 969 memset(*pbuffer, 0, sizeof(struct negotiate_message)); 970 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 971 sec_blob->MessageType = NtLmNegotiate; 972 973 /* BB is NTLMV2 session security format easier to use here? */ 974 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 975 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 976 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 977 NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_SEAL | 978 NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_VERSION; 979 if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 980 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 981 982 sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR; 983 sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL; 984 sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD); 985 sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; 986 987 tmp = *pbuffer + sizeof(struct negotiate_message); 988 ses->ntlmssp->client_flags = flags; 989 sec_blob->NegotiateFlags = cpu_to_le32(flags); 990 991 /* these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 */ 992 cifs_security_buffer_from_str(&sec_blob->DomainName, 993 NULL, 994 CIFS_MAX_DOMAINNAME_LEN, 995 *pbuffer, &tmp, 996 nls_cp); 997 998 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 999 NULL, 1000 CIFS_MAX_WORKSTATION_LEN, 1001 *pbuffer, &tmp, 1002 nls_cp); 1003 1004 *buflen = tmp - *pbuffer; 1005setup_ntlm_smb3_neg_ret: 1006 return rc; 1007} 1008 1009 1010int build_ntlmssp_auth_blob(unsigned char **pbuffer, 1011 u16 *buflen, 1012 struct cifs_ses *ses, 1013 struct TCP_Server_Info *server, 1014 const struct nls_table *nls_cp) 1015{ 1016 int rc; 1017 AUTHENTICATE_MESSAGE *sec_blob; 1018 __u32 flags; 1019 unsigned char *tmp; 1020 int len; 1021 1022 rc = setup_ntlmv2_rsp(ses, nls_cp); 1023 if (rc) { 1024 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 1025 *buflen = 0; 1026 goto setup_ntlmv2_ret; 1027 } 1028 1029 len = size_of_ntlmssp_blob(ses, sizeof(AUTHENTICATE_MESSAGE)); 1030 *pbuffer = kmalloc(len, GFP_KERNEL); 1031 if (!*pbuffer) { 1032 rc = -ENOMEM; 1033 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 1034 *buflen = 0; 1035 goto setup_ntlmv2_ret; 1036 } 1037 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 1038 1039 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 1040 sec_blob->MessageType = NtLmAuthenticate; 1041 1042 flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET | 1043 NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED; 1044 1045 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 1046 sec_blob->NegotiateFlags = cpu_to_le32(flags); 1047 1048 sec_blob->LmChallengeResponse.BufferOffset = 1049 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 1050 sec_blob->LmChallengeResponse.Length = 0; 1051 sec_blob->LmChallengeResponse.MaximumLength = 0; 1052 1053 sec_blob->NtChallengeResponse.BufferOffset = 1054 cpu_to_le32(tmp - *pbuffer); 1055 if (ses->user_name != NULL) { 1056 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1057 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1058 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1059 1060 sec_blob->NtChallengeResponse.Length = 1061 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1062 sec_blob->NtChallengeResponse.MaximumLength = 1063 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1064 } else { 1065 /* 1066 * don't send an NT Response for anonymous access 1067 */ 1068 sec_blob->NtChallengeResponse.Length = 0; 1069 sec_blob->NtChallengeResponse.MaximumLength = 0; 1070 } 1071 1072 cifs_security_buffer_from_str(&sec_blob->DomainName, 1073 ses->domainName, 1074 CIFS_MAX_DOMAINNAME_LEN, 1075 *pbuffer, &tmp, 1076 nls_cp); 1077 1078 cifs_security_buffer_from_str(&sec_blob->UserName, 1079 ses->user_name, 1080 CIFS_MAX_USERNAME_LEN, 1081 *pbuffer, &tmp, 1082 nls_cp); 1083 1084 cifs_security_buffer_from_str(&sec_blob->WorkstationName, 1085 ses->workstation_name, 1086 ntlmssp_workstation_name_size(ses), 1087 *pbuffer, &tmp, 1088 nls_cp); 1089 1090 if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) && 1091 (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) && 1092 !calc_seckey(ses)) { 1093 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 1094 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1095 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 1096 sec_blob->SessionKey.MaximumLength = 1097 cpu_to_le16(CIFS_CPHTXT_SIZE); 1098 tmp += CIFS_CPHTXT_SIZE; 1099 } else { 1100 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 1101 sec_blob->SessionKey.Length = 0; 1102 sec_blob->SessionKey.MaximumLength = 0; 1103 } 1104 1105 *buflen = tmp - *pbuffer; 1106setup_ntlmv2_ret: 1107 return rc; 1108} 1109 1110enum securityEnum 1111cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 1112{ 1113 switch (server->negflavor) { 1114 case CIFS_NEGFLAVOR_EXTENDED: 1115 switch (requested) { 1116 case Kerberos: 1117 case RawNTLMSSP: 1118 return requested; 1119 case Unspecified: 1120 if (server->sec_ntlmssp && 1121 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 1122 return RawNTLMSSP; 1123 if ((server->sec_kerberos || server->sec_mskerberos) && 1124 (global_secflags & CIFSSEC_MAY_KRB5)) 1125 return Kerberos; 1126 fallthrough; 1127 default: 1128 return Unspecified; 1129 } 1130 case CIFS_NEGFLAVOR_UNENCAP: 1131 switch (requested) { 1132 case NTLMv2: 1133 return requested; 1134 case Unspecified: 1135 if (global_secflags & CIFSSEC_MAY_NTLMV2) 1136 return NTLMv2; 1137 break; 1138 default: 1139 break; 1140 } 1141 fallthrough; 1142 default: 1143 return Unspecified; 1144 } 1145} 1146 1147struct sess_data { 1148 unsigned int xid; 1149 struct cifs_ses *ses; 1150 struct TCP_Server_Info *server; 1151 struct nls_table *nls_cp; 1152 void (*func)(struct sess_data *); 1153 int result; 1154 1155 /* we will send the SMB in three pieces: 1156 * a fixed length beginning part, an optional 1157 * SPNEGO blob (which can be zero length), and a 1158 * last part which will include the strings 1159 * and rest of bcc area. This allows us to avoid 1160 * a large buffer 17K allocation 1161 */ 1162 int buf0_type; 1163 struct kvec iov[3]; 1164}; 1165 1166static int 1167sess_alloc_buffer(struct sess_data *sess_data, int wct) 1168{ 1169 int rc; 1170 struct cifs_ses *ses = sess_data->ses; 1171 struct smb_hdr *smb_buf; 1172 1173 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 1174 (void **)&smb_buf); 1175 1176 if (rc) 1177 return rc; 1178 1179 sess_data->iov[0].iov_base = (char *)smb_buf; 1180 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 1181 /* 1182 * This variable will be used to clear the buffer 1183 * allocated above in case of any error in the calling function. 1184 */ 1185 sess_data->buf0_type = CIFS_SMALL_BUFFER; 1186 1187 /* 2000 big enough to fit max user, domain, NOS name etc. */ 1188 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 1189 if (!sess_data->iov[2].iov_base) { 1190 rc = -ENOMEM; 1191 goto out_free_smb_buf; 1192 } 1193 1194 return 0; 1195 1196out_free_smb_buf: 1197 cifs_small_buf_release(smb_buf); 1198 sess_data->iov[0].iov_base = NULL; 1199 sess_data->iov[0].iov_len = 0; 1200 sess_data->buf0_type = CIFS_NO_BUFFER; 1201 return rc; 1202} 1203 1204static void 1205sess_free_buffer(struct sess_data *sess_data) 1206{ 1207 1208 free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); 1209 sess_data->buf0_type = CIFS_NO_BUFFER; 1210 kfree(sess_data->iov[2].iov_base); 1211} 1212 1213static int 1214sess_establish_session(struct sess_data *sess_data) 1215{ 1216 struct cifs_ses *ses = sess_data->ses; 1217 struct TCP_Server_Info *server = sess_data->server; 1218 1219 cifs_server_lock(server); 1220 if (!server->session_estab) { 1221 if (server->sign) { 1222 server->session_key.response = 1223 kmemdup(ses->auth_key.response, 1224 ses->auth_key.len, GFP_KERNEL); 1225 if (!server->session_key.response) { 1226 cifs_server_unlock(server); 1227 return -ENOMEM; 1228 } 1229 server->session_key.len = 1230 ses->auth_key.len; 1231 } 1232 server->sequence_number = 0x2; 1233 server->session_estab = true; 1234 } 1235 cifs_server_unlock(server); 1236 1237 cifs_dbg(FYI, "CIFS session established successfully\n"); 1238 return 0; 1239} 1240 1241static int 1242sess_sendreceive(struct sess_data *sess_data) 1243{ 1244 int rc; 1245 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 1246 __u16 count; 1247 struct kvec rsp_iov = { NULL, 0 }; 1248 1249 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 1250 be32_add_cpu(&smb_buf->smb_buf_length, count); 1251 put_bcc(count, smb_buf); 1252 1253 rc = SendReceive2(sess_data->xid, sess_data->ses, 1254 sess_data->iov, 3 /* num_iovecs */, 1255 &sess_data->buf0_type, 1256 CIFS_LOG_ERROR, &rsp_iov); 1257 cifs_small_buf_release(sess_data->iov[0].iov_base); 1258 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 1259 1260 return rc; 1261} 1262 1263static void 1264sess_auth_ntlmv2(struct sess_data *sess_data) 1265{ 1266 int rc = 0; 1267 struct smb_hdr *smb_buf; 1268 SESSION_SETUP_ANDX *pSMB; 1269 char *bcc_ptr; 1270 struct cifs_ses *ses = sess_data->ses; 1271 struct TCP_Server_Info *server = sess_data->server; 1272 __u32 capabilities; 1273 __u16 bytes_remaining; 1274 1275 /* old style NTLM sessionsetup */ 1276 /* wct = 13 */ 1277 rc = sess_alloc_buffer(sess_data, 13); 1278 if (rc) 1279 goto out; 1280 1281 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1282 bcc_ptr = sess_data->iov[2].iov_base; 1283 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1284 1285 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 1286 1287 /* LM2 password would be here if we supported it */ 1288 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 1289 1290 if (ses->user_name != NULL) { 1291 /* calculate nlmv2 response and session key */ 1292 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 1293 if (rc) { 1294 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 1295 goto out; 1296 } 1297 1298 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 1299 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1300 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 1301 1302 /* set case sensitive password length after tilen may get 1303 * assigned, tilen is 0 otherwise. 1304 */ 1305 pSMB->req_no_secext.CaseSensitivePasswordLength = 1306 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 1307 } else { 1308 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 1309 } 1310 1311 if (ses->capabilities & CAP_UNICODE) { 1312 if (sess_data->iov[0].iov_len % 2) { 1313 *bcc_ptr = 0; 1314 bcc_ptr++; 1315 } 1316 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1317 } else { 1318 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1319 } 1320 1321 1322 sess_data->iov[2].iov_len = (long) bcc_ptr - 1323 (long) sess_data->iov[2].iov_base; 1324 1325 rc = sess_sendreceive(sess_data); 1326 if (rc) 1327 goto out; 1328 1329 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1330 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1331 1332 if (smb_buf->WordCount != 3) { 1333 rc = -EIO; 1334 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1335 goto out; 1336 } 1337 1338 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1339 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1340 1341 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1342 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1343 1344 bytes_remaining = get_bcc(smb_buf); 1345 bcc_ptr = pByteArea(smb_buf); 1346 1347 /* BB check if Unicode and decode strings */ 1348 if (bytes_remaining == 0) { 1349 /* no string area to decode, do nothing */ 1350 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1351 /* unicode string area must be word-aligned */ 1352 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 1353 ++bcc_ptr; 1354 --bytes_remaining; 1355 } 1356 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1357 sess_data->nls_cp); 1358 } else { 1359 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1360 sess_data->nls_cp); 1361 } 1362 1363 rc = sess_establish_session(sess_data); 1364out: 1365 sess_data->result = rc; 1366 sess_data->func = NULL; 1367 sess_free_buffer(sess_data); 1368 kfree(ses->auth_key.response); 1369 ses->auth_key.response = NULL; 1370} 1371 1372#ifdef CONFIG_CIFS_UPCALL 1373static void 1374sess_auth_kerberos(struct sess_data *sess_data) 1375{ 1376 int rc = 0; 1377 struct smb_hdr *smb_buf; 1378 SESSION_SETUP_ANDX *pSMB; 1379 char *bcc_ptr; 1380 struct cifs_ses *ses = sess_data->ses; 1381 struct TCP_Server_Info *server = sess_data->server; 1382 __u32 capabilities; 1383 __u16 bytes_remaining; 1384 struct key *spnego_key = NULL; 1385 struct cifs_spnego_msg *msg; 1386 u16 blob_len; 1387 1388 /* extended security */ 1389 /* wct = 12 */ 1390 rc = sess_alloc_buffer(sess_data, 12); 1391 if (rc) 1392 goto out; 1393 1394 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1395 bcc_ptr = sess_data->iov[2].iov_base; 1396 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1397 1398 spnego_key = cifs_get_spnego_key(ses, server); 1399 if (IS_ERR(spnego_key)) { 1400 rc = PTR_ERR(spnego_key); 1401 spnego_key = NULL; 1402 goto out; 1403 } 1404 1405 msg = spnego_key->payload.data[0]; 1406 /* 1407 * check version field to make sure that cifs.upcall is 1408 * sending us a response in an expected form 1409 */ 1410 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1411 cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n", 1412 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1413 rc = -EKEYREJECTED; 1414 goto out_put_spnego_key; 1415 } 1416 1417 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1418 GFP_KERNEL); 1419 if (!ses->auth_key.response) { 1420 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", 1421 msg->sesskey_len); 1422 rc = -ENOMEM; 1423 goto out_put_spnego_key; 1424 } 1425 ses->auth_key.len = msg->sesskey_len; 1426 1427 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1428 capabilities |= CAP_EXTENDED_SECURITY; 1429 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1430 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1431 sess_data->iov[1].iov_len = msg->secblob_len; 1432 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1433 1434 if (ses->capabilities & CAP_UNICODE) { 1435 /* unicode strings must be word aligned */ 1436 if ((sess_data->iov[0].iov_len 1437 + sess_data->iov[1].iov_len) % 2) { 1438 *bcc_ptr = 0; 1439 bcc_ptr++; 1440 } 1441 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1442 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1443 } else { 1444 /* BB: is this right? */ 1445 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1446 } 1447 1448 sess_data->iov[2].iov_len = (long) bcc_ptr - 1449 (long) sess_data->iov[2].iov_base; 1450 1451 rc = sess_sendreceive(sess_data); 1452 if (rc) 1453 goto out_put_spnego_key; 1454 1455 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1456 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1457 1458 if (smb_buf->WordCount != 4) { 1459 rc = -EIO; 1460 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1461 goto out_put_spnego_key; 1462 } 1463 1464 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1465 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1466 1467 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1468 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1469 1470 bytes_remaining = get_bcc(smb_buf); 1471 bcc_ptr = pByteArea(smb_buf); 1472 1473 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1474 if (blob_len > bytes_remaining) { 1475 cifs_dbg(VFS, "bad security blob length %d\n", 1476 blob_len); 1477 rc = -EINVAL; 1478 goto out_put_spnego_key; 1479 } 1480 bcc_ptr += blob_len; 1481 bytes_remaining -= blob_len; 1482 1483 /* BB check if Unicode and decode strings */ 1484 if (bytes_remaining == 0) { 1485 /* no string area to decode, do nothing */ 1486 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1487 /* unicode string area must be word-aligned */ 1488 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 1489 ++bcc_ptr; 1490 --bytes_remaining; 1491 } 1492 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1493 sess_data->nls_cp); 1494 } else { 1495 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1496 sess_data->nls_cp); 1497 } 1498 1499 rc = sess_establish_session(sess_data); 1500out_put_spnego_key: 1501 key_invalidate(spnego_key); 1502 key_put(spnego_key); 1503out: 1504 sess_data->result = rc; 1505 sess_data->func = NULL; 1506 sess_free_buffer(sess_data); 1507 kfree(ses->auth_key.response); 1508 ses->auth_key.response = NULL; 1509} 1510 1511#endif /* ! CONFIG_CIFS_UPCALL */ 1512 1513/* 1514 * The required kvec buffers have to be allocated before calling this 1515 * function. 1516 */ 1517static int 1518_sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1519{ 1520 SESSION_SETUP_ANDX *pSMB; 1521 struct cifs_ses *ses = sess_data->ses; 1522 struct TCP_Server_Info *server = sess_data->server; 1523 __u32 capabilities; 1524 char *bcc_ptr; 1525 1526 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1527 1528 capabilities = cifs_ssetup_hdr(ses, server, pSMB); 1529 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1530 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1531 return -ENOSYS; 1532 } 1533 1534 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1535 capabilities |= CAP_EXTENDED_SECURITY; 1536 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1537 1538 bcc_ptr = sess_data->iov[2].iov_base; 1539 /* unicode strings must be word aligned */ 1540 if ((sess_data->iov[0].iov_len + sess_data->iov[1].iov_len) % 2) { 1541 *bcc_ptr = 0; 1542 bcc_ptr++; 1543 } 1544 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1545 1546 sess_data->iov[2].iov_len = (long) bcc_ptr - 1547 (long) sess_data->iov[2].iov_base; 1548 1549 return 0; 1550} 1551 1552static void 1553sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1554 1555static void 1556sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1557{ 1558 int rc; 1559 struct smb_hdr *smb_buf; 1560 SESSION_SETUP_ANDX *pSMB; 1561 struct cifs_ses *ses = sess_data->ses; 1562 struct TCP_Server_Info *server = sess_data->server; 1563 __u16 bytes_remaining; 1564 char *bcc_ptr; 1565 unsigned char *ntlmsspblob = NULL; 1566 u16 blob_len; 1567 1568 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1569 1570 /* 1571 * if memory allocation is successful, caller of this function 1572 * frees it. 1573 */ 1574 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1575 if (!ses->ntlmssp) { 1576 rc = -ENOMEM; 1577 goto out; 1578 } 1579 ses->ntlmssp->sesskey_per_smbsess = false; 1580 1581 /* wct = 12 */ 1582 rc = sess_alloc_buffer(sess_data, 12); 1583 if (rc) 1584 goto out; 1585 1586 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1587 1588 /* Build security blob before we assemble the request */ 1589 rc = build_ntlmssp_negotiate_blob(&ntlmsspblob, 1590 &blob_len, ses, server, 1591 sess_data->nls_cp); 1592 if (rc) 1593 goto out_free_ntlmsspblob; 1594 1595 sess_data->iov[1].iov_len = blob_len; 1596 sess_data->iov[1].iov_base = ntlmsspblob; 1597 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1598 1599 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1600 if (rc) 1601 goto out_free_ntlmsspblob; 1602 1603 rc = sess_sendreceive(sess_data); 1604 1605 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1606 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1607 1608 /* If true, rc here is expected and not an error */ 1609 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1610 smb_buf->Status.CifsError == 1611 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1612 rc = 0; 1613 1614 if (rc) 1615 goto out_free_ntlmsspblob; 1616 1617 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1618 1619 if (smb_buf->WordCount != 4) { 1620 rc = -EIO; 1621 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1622 goto out_free_ntlmsspblob; 1623 } 1624 1625 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1626 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1627 1628 bytes_remaining = get_bcc(smb_buf); 1629 bcc_ptr = pByteArea(smb_buf); 1630 1631 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1632 if (blob_len > bytes_remaining) { 1633 cifs_dbg(VFS, "bad security blob length %d\n", 1634 blob_len); 1635 rc = -EINVAL; 1636 goto out_free_ntlmsspblob; 1637 } 1638 1639 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1640 1641out_free_ntlmsspblob: 1642 kfree(ntlmsspblob); 1643out: 1644 sess_free_buffer(sess_data); 1645 1646 if (!rc) { 1647 sess_data->func = sess_auth_rawntlmssp_authenticate; 1648 return; 1649 } 1650 1651 /* Else error. Cleanup */ 1652 kfree(ses->auth_key.response); 1653 ses->auth_key.response = NULL; 1654 kfree(ses->ntlmssp); 1655 ses->ntlmssp = NULL; 1656 1657 sess_data->func = NULL; 1658 sess_data->result = rc; 1659} 1660 1661static void 1662sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1663{ 1664 int rc; 1665 struct smb_hdr *smb_buf; 1666 SESSION_SETUP_ANDX *pSMB; 1667 struct cifs_ses *ses = sess_data->ses; 1668 struct TCP_Server_Info *server = sess_data->server; 1669 __u16 bytes_remaining; 1670 char *bcc_ptr; 1671 unsigned char *ntlmsspblob = NULL; 1672 u16 blob_len; 1673 1674 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1675 1676 /* wct = 12 */ 1677 rc = sess_alloc_buffer(sess_data, 12); 1678 if (rc) 1679 goto out; 1680 1681 /* Build security blob before we assemble the request */ 1682 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1683 smb_buf = (struct smb_hdr *)pSMB; 1684 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1685 &blob_len, ses, server, 1686 sess_data->nls_cp); 1687 if (rc) 1688 goto out_free_ntlmsspblob; 1689 sess_data->iov[1].iov_len = blob_len; 1690 sess_data->iov[1].iov_base = ntlmsspblob; 1691 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1692 /* 1693 * Make sure that we tell the server that we are using 1694 * the uid that it just gave us back on the response 1695 * (challenge) 1696 */ 1697 smb_buf->Uid = ses->Suid; 1698 1699 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1700 if (rc) 1701 goto out_free_ntlmsspblob; 1702 1703 rc = sess_sendreceive(sess_data); 1704 if (rc) 1705 goto out_free_ntlmsspblob; 1706 1707 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1708 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1709 if (smb_buf->WordCount != 4) { 1710 rc = -EIO; 1711 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1712 goto out_free_ntlmsspblob; 1713 } 1714 1715 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1716 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1717 1718 if (ses->Suid != smb_buf->Uid) { 1719 ses->Suid = smb_buf->Uid; 1720 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1721 } 1722 1723 bytes_remaining = get_bcc(smb_buf); 1724 bcc_ptr = pByteArea(smb_buf); 1725 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1726 if (blob_len > bytes_remaining) { 1727 cifs_dbg(VFS, "bad security blob length %d\n", 1728 blob_len); 1729 rc = -EINVAL; 1730 goto out_free_ntlmsspblob; 1731 } 1732 bcc_ptr += blob_len; 1733 bytes_remaining -= blob_len; 1734 1735 1736 /* BB check if Unicode and decode strings */ 1737 if (bytes_remaining == 0) { 1738 /* no string area to decode, do nothing */ 1739 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1740 /* unicode string area must be word-aligned */ 1741 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 1742 ++bcc_ptr; 1743 --bytes_remaining; 1744 } 1745 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1746 sess_data->nls_cp); 1747 } else { 1748 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1749 sess_data->nls_cp); 1750 } 1751 1752out_free_ntlmsspblob: 1753 kfree(ntlmsspblob); 1754out: 1755 sess_free_buffer(sess_data); 1756 1757 if (!rc) 1758 rc = sess_establish_session(sess_data); 1759 1760 /* Cleanup */ 1761 kfree(ses->auth_key.response); 1762 ses->auth_key.response = NULL; 1763 kfree(ses->ntlmssp); 1764 ses->ntlmssp = NULL; 1765 1766 sess_data->func = NULL; 1767 sess_data->result = rc; 1768} 1769 1770static int select_sec(struct sess_data *sess_data) 1771{ 1772 int type; 1773 struct cifs_ses *ses = sess_data->ses; 1774 struct TCP_Server_Info *server = sess_data->server; 1775 1776 type = cifs_select_sectype(server, ses->sectype); 1777 cifs_dbg(FYI, "sess setup type %d\n", type); 1778 if (type == Unspecified) { 1779 cifs_dbg(VFS, "Unable to select appropriate authentication method!\n"); 1780 return -EINVAL; 1781 } 1782 1783 switch (type) { 1784 case NTLMv2: 1785 sess_data->func = sess_auth_ntlmv2; 1786 break; 1787 case Kerberos: 1788#ifdef CONFIG_CIFS_UPCALL 1789 sess_data->func = sess_auth_kerberos; 1790 break; 1791#else 1792 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1793 return -ENOSYS; 1794#endif /* CONFIG_CIFS_UPCALL */ 1795 case RawNTLMSSP: 1796 sess_data->func = sess_auth_rawntlmssp_negotiate; 1797 break; 1798 default: 1799 cifs_dbg(VFS, "secType %d not supported!\n", type); 1800 return -ENOSYS; 1801 } 1802 1803 return 0; 1804} 1805 1806int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1807 struct TCP_Server_Info *server, 1808 const struct nls_table *nls_cp) 1809{ 1810 int rc = 0; 1811 struct sess_data *sess_data; 1812 1813 if (ses == NULL) { 1814 WARN(1, "%s: ses == NULL!", __func__); 1815 return -EINVAL; 1816 } 1817 1818 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 1819 if (!sess_data) 1820 return -ENOMEM; 1821 1822 sess_data->xid = xid; 1823 sess_data->ses = ses; 1824 sess_data->server = server; 1825 sess_data->buf0_type = CIFS_NO_BUFFER; 1826 sess_data->nls_cp = (struct nls_table *) nls_cp; 1827 1828 rc = select_sec(sess_data); 1829 if (rc) 1830 goto out; 1831 1832 while (sess_data->func) 1833 sess_data->func(sess_data); 1834 1835 /* Store result before we free sess_data */ 1836 rc = sess_data->result; 1837 1838out: 1839 kfree(sess_data); 1840 return rc; 1841}