tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / fs / cifs / sess.c
at v5.0-rc2 1478 lines 41 kB view raw
1/* 2 * fs/cifs/sess.c 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 * This library is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU Lesser General Public License as published 11 * by the Free Software Foundation; either version 2.1 of the License, or 12 * (at your option) any later version. 13 * 14 * This library is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 17 * the GNU Lesser General Public License for more details. 18 * 19 * You should have received a copy of the GNU Lesser General Public License 20 * along with this library; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 */ 23 24#include "cifspdu.h" 25#include "cifsglob.h" 26#include "cifsproto.h" 27#include "cifs_unicode.h" 28#include "cifs_debug.h" 29#include "ntlmssp.h" 30#include "nterr.h" 31#include <linux/utsname.h> 32#include <linux/slab.h> 33#include "cifs_spnego.h" 34 35static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB) 36{ 37 __u32 capabilities = 0; 38 39 /* init fields common to all four types of SessSetup */ 40 /* Note that offsets for first seven fields in req struct are same */ 41 /* in CIFS Specs so does not matter which of 3 forms of struct */ 42 /* that we use in next few lines */ 43 /* Note that header is initialized to zero in header_assemble */ 44 pSMB->req.AndXCommand = 0xFF; 45 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, 46 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, 47 USHRT_MAX)); 48 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq); 49 pSMB->req.VcNumber = cpu_to_le16(1); 50 51 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 52 53 /* BB verify whether signing required on neg or just on auth frame 54 (and NTLM case) */ 55 56 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 57 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 58 59 if (ses->server->sign) 60 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 61 62 if (ses->capabilities & CAP_UNICODE) { 63 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 64 capabilities |= CAP_UNICODE; 65 } 66 if (ses->capabilities & CAP_STATUS32) { 67 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 68 capabilities |= CAP_STATUS32; 69 } 70 if (ses->capabilities & CAP_DFS) { 71 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 72 capabilities |= CAP_DFS; 73 } 74 if (ses->capabilities & CAP_UNIX) 75 capabilities |= CAP_UNIX; 76 77 return capabilities; 78} 79 80static void 81unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 82{ 83 char *bcc_ptr = *pbcc_area; 84 int bytes_ret = 0; 85 86 /* Copy OS version */ 87 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, 88 nls_cp); 89 bcc_ptr += 2 * bytes_ret; 90 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, 91 32, nls_cp); 92 bcc_ptr += 2 * bytes_ret; 93 bcc_ptr += 2; /* trailing null */ 94 95 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 96 32, nls_cp); 97 bcc_ptr += 2 * bytes_ret; 98 bcc_ptr += 2; /* trailing null */ 99 100 *pbcc_area = bcc_ptr; 101} 102 103static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 104 const struct nls_table *nls_cp) 105{ 106 char *bcc_ptr = *pbcc_area; 107 int bytes_ret = 0; 108 109 /* copy domain */ 110 if (ses->domainName == NULL) { 111 /* Sending null domain better than using a bogus domain name (as 112 we did briefly in 2.6.18) since server will use its default */ 113 *bcc_ptr = 0; 114 *(bcc_ptr+1) = 0; 115 bytes_ret = 0; 116 } else 117 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, 118 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 119 bcc_ptr += 2 * bytes_ret; 120 bcc_ptr += 2; /* account for null terminator */ 121 122 *pbcc_area = bcc_ptr; 123} 124 125 126static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 127 const struct nls_table *nls_cp) 128{ 129 char *bcc_ptr = *pbcc_area; 130 int bytes_ret = 0; 131 132 /* BB FIXME add check that strings total less 133 than 335 or will need to send them as arrays */ 134 135 /* unicode strings, must be word aligned before the call */ 136/* if ((long) bcc_ptr % 2) { 137 *bcc_ptr = 0; 138 bcc_ptr++; 139 } */ 140 /* copy user */ 141 if (ses->user_name == NULL) { 142 /* null user mount */ 143 *bcc_ptr = 0; 144 *(bcc_ptr+1) = 0; 145 } else { 146 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, 147 CIFS_MAX_USERNAME_LEN, nls_cp); 148 } 149 bcc_ptr += 2 * bytes_ret; 150 bcc_ptr += 2; /* account for null termination */ 151 152 unicode_domain_string(&bcc_ptr, ses, nls_cp); 153 unicode_oslm_strings(&bcc_ptr, nls_cp); 154 155 *pbcc_area = bcc_ptr; 156} 157 158static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 159 const struct nls_table *nls_cp) 160{ 161 char *bcc_ptr = *pbcc_area; 162 163 /* copy user */ 164 /* BB what about null user mounts - check that we do this BB */ 165 /* copy user */ 166 if (ses->user_name != NULL) { 167 strncpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 168 bcc_ptr += strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 169 } 170 /* else null user mount */ 171 *bcc_ptr = 0; 172 bcc_ptr++; /* account for null termination */ 173 174 /* copy domain */ 175 if (ses->domainName != NULL) { 176 strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 177 bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 178 } /* else we will send a null domain name 179 so the server will default to its own domain */ 180 *bcc_ptr = 0; 181 bcc_ptr++; 182 183 /* BB check for overflow here */ 184 185 strcpy(bcc_ptr, "Linux version "); 186 bcc_ptr += strlen("Linux version "); 187 strcpy(bcc_ptr, init_utsname()->release); 188 bcc_ptr += strlen(init_utsname()->release) + 1; 189 190 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 191 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 192 193 *pbcc_area = bcc_ptr; 194} 195 196static void 197decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, 198 const struct nls_table *nls_cp) 199{ 200 int len; 201 char *data = *pbcc_area; 202 203 cifs_dbg(FYI, "bleft %d\n", bleft); 204 205 kfree(ses->serverOS); 206 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 207 cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); 208 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 209 data += len; 210 bleft -= len; 211 if (bleft <= 0) 212 return; 213 214 kfree(ses->serverNOS); 215 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 216 cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); 217 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 218 data += len; 219 bleft -= len; 220 if (bleft <= 0) 221 return; 222 223 kfree(ses->serverDomain); 224 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); 225 cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); 226 227 return; 228} 229 230static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, 231 struct cifs_ses *ses, 232 const struct nls_table *nls_cp) 233{ 234 int len; 235 char *bcc_ptr = *pbcc_area; 236 237 cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); 238 239 len = strnlen(bcc_ptr, bleft); 240 if (len >= bleft) 241 return; 242 243 kfree(ses->serverOS); 244 245 ses->serverOS = kzalloc(len + 1, GFP_KERNEL); 246 if (ses->serverOS) { 247 strncpy(ses->serverOS, bcc_ptr, len); 248 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 249 cifs_dbg(FYI, "OS/2 server\n"); 250 } 251 252 bcc_ptr += len + 1; 253 bleft -= len + 1; 254 255 len = strnlen(bcc_ptr, bleft); 256 if (len >= bleft) 257 return; 258 259 kfree(ses->serverNOS); 260 261 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL); 262 if (ses->serverNOS) 263 strncpy(ses->serverNOS, bcc_ptr, len); 264 265 bcc_ptr += len + 1; 266 bleft -= len + 1; 267 268 len = strnlen(bcc_ptr, bleft); 269 if (len > bleft) 270 return; 271 272 /* No domain field in LANMAN case. Domain is 273 returned by old servers in the SMB negprot response */ 274 /* BB For newer servers which do not support Unicode, 275 but thus do return domain here we could add parsing 276 for it later, but it is not very important */ 277 cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); 278} 279 280int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 281 struct cifs_ses *ses) 282{ 283 unsigned int tioffset; /* challenge message target info area */ 284 unsigned int tilen; /* challenge message target info area length */ 285 286 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 287 288 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 289 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); 290 return -EINVAL; 291 } 292 293 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 294 cifs_dbg(VFS, "blob signature incorrect %s\n", 295 pblob->Signature); 296 return -EINVAL; 297 } 298 if (pblob->MessageType != NtLmChallenge) { 299 cifs_dbg(VFS, "Incorrect message type %d\n", 300 pblob->MessageType); 301 return -EINVAL; 302 } 303 304 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 305 /* BB we could decode pblob->NegotiateFlags; some may be useful */ 306 /* In particular we can examine sign flags */ 307 /* BB spec says that if AvId field of MsvAvTimestamp is populated then 308 we must set the MIC field of the AUTHENTICATE_MESSAGE */ 309 ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags); 310 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); 311 tilen = le16_to_cpu(pblob->TargetInfoArray.Length); 312 if (tioffset > blob_len || tioffset + tilen > blob_len) { 313 cifs_dbg(VFS, "tioffset + tilen too high %u + %u", 314 tioffset, tilen); 315 return -EINVAL; 316 } 317 if (tilen) { 318 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, 319 GFP_KERNEL); 320 if (!ses->auth_key.response) { 321 cifs_dbg(VFS, "Challenge target info alloc failure"); 322 return -ENOMEM; 323 } 324 ses->auth_key.len = tilen; 325 } 326 327 return 0; 328} 329 330/* BB Move to ntlmssp.c eventually */ 331 332/* We do not malloc the blob, it is passed in pbuffer, because 333 it is fixed size, and small, making this approach cleaner */ 334void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, 335 struct cifs_ses *ses) 336{ 337 NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer; 338 __u32 flags; 339 340 memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); 341 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 342 sec_blob->MessageType = NtLmNegotiate; 343 344 /* BB is NTLMV2 session security format easier to use here? */ 345 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 346 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 347 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 348 NTLMSSP_NEGOTIATE_SEAL; 349 if (ses->server->sign) 350 flags |= NTLMSSP_NEGOTIATE_SIGN; 351 if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 352 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 353 354 sec_blob->NegotiateFlags = cpu_to_le32(flags); 355 356 sec_blob->WorkstationName.BufferOffset = 0; 357 sec_blob->WorkstationName.Length = 0; 358 sec_blob->WorkstationName.MaximumLength = 0; 359 360 /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */ 361 sec_blob->DomainName.BufferOffset = 0; 362 sec_blob->DomainName.Length = 0; 363 sec_blob->DomainName.MaximumLength = 0; 364} 365 366static int size_of_ntlmssp_blob(struct cifs_ses *ses) 367{ 368 int sz = sizeof(AUTHENTICATE_MESSAGE) + ses->auth_key.len 369 - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2; 370 371 if (ses->domainName) 372 sz += 2 * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 373 else 374 sz += 2; 375 376 if (ses->user_name) 377 sz += 2 * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 378 else 379 sz += 2; 380 381 return sz; 382} 383 384int build_ntlmssp_auth_blob(unsigned char **pbuffer, 385 u16 *buflen, 386 struct cifs_ses *ses, 387 const struct nls_table *nls_cp) 388{ 389 int rc; 390 AUTHENTICATE_MESSAGE *sec_blob; 391 __u32 flags; 392 unsigned char *tmp; 393 394 rc = setup_ntlmv2_rsp(ses, nls_cp); 395 if (rc) { 396 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); 397 *buflen = 0; 398 goto setup_ntlmv2_ret; 399 } 400 *pbuffer = kmalloc(size_of_ntlmssp_blob(ses), GFP_KERNEL); 401 if (!*pbuffer) { 402 rc = -ENOMEM; 403 cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc); 404 *buflen = 0; 405 goto setup_ntlmv2_ret; 406 } 407 sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer; 408 409 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 410 sec_blob->MessageType = NtLmAuthenticate; 411 412 flags = NTLMSSP_NEGOTIATE_56 | 413 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO | 414 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 415 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC | 416 NTLMSSP_NEGOTIATE_SEAL; 417 if (ses->server->sign) 418 flags |= NTLMSSP_NEGOTIATE_SIGN; 419 if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess) 420 flags |= NTLMSSP_NEGOTIATE_KEY_XCH; 421 422 tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE); 423 sec_blob->NegotiateFlags = cpu_to_le32(flags); 424 425 sec_blob->LmChallengeResponse.BufferOffset = 426 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 427 sec_blob->LmChallengeResponse.Length = 0; 428 sec_blob->LmChallengeResponse.MaximumLength = 0; 429 430 sec_blob->NtChallengeResponse.BufferOffset = 431 cpu_to_le32(tmp - *pbuffer); 432 if (ses->user_name != NULL) { 433 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 434 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 435 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 436 437 sec_blob->NtChallengeResponse.Length = 438 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 439 sec_blob->NtChallengeResponse.MaximumLength = 440 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 441 } else { 442 /* 443 * don't send an NT Response for anonymous access 444 */ 445 sec_blob->NtChallengeResponse.Length = 0; 446 sec_blob->NtChallengeResponse.MaximumLength = 0; 447 } 448 449 if (ses->domainName == NULL) { 450 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer); 451 sec_blob->DomainName.Length = 0; 452 sec_blob->DomainName.MaximumLength = 0; 453 tmp += 2; 454 } else { 455 int len; 456 len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName, 457 CIFS_MAX_DOMAINNAME_LEN, nls_cp); 458 len *= 2; /* unicode is 2 bytes each */ 459 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer); 460 sec_blob->DomainName.Length = cpu_to_le16(len); 461 sec_blob->DomainName.MaximumLength = cpu_to_le16(len); 462 tmp += len; 463 } 464 465 if (ses->user_name == NULL) { 466 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer); 467 sec_blob->UserName.Length = 0; 468 sec_blob->UserName.MaximumLength = 0; 469 tmp += 2; 470 } else { 471 int len; 472 len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name, 473 CIFS_MAX_USERNAME_LEN, nls_cp); 474 len *= 2; /* unicode is 2 bytes each */ 475 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer); 476 sec_blob->UserName.Length = cpu_to_le16(len); 477 sec_blob->UserName.MaximumLength = cpu_to_le16(len); 478 tmp += len; 479 } 480 481 sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - *pbuffer); 482 sec_blob->WorkstationName.Length = 0; 483 sec_blob->WorkstationName.MaximumLength = 0; 484 tmp += 2; 485 486 if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) || 487 (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) 488 && !calc_seckey(ses)) { 489 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); 490 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 491 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); 492 sec_blob->SessionKey.MaximumLength = 493 cpu_to_le16(CIFS_CPHTXT_SIZE); 494 tmp += CIFS_CPHTXT_SIZE; 495 } else { 496 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer); 497 sec_blob->SessionKey.Length = 0; 498 sec_blob->SessionKey.MaximumLength = 0; 499 } 500 501 *buflen = tmp - *pbuffer; 502setup_ntlmv2_ret: 503 return rc; 504} 505 506enum securityEnum 507cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 508{ 509 switch (server->negflavor) { 510 case CIFS_NEGFLAVOR_EXTENDED: 511 switch (requested) { 512 case Kerberos: 513 case RawNTLMSSP: 514 return requested; 515 case Unspecified: 516 if (server->sec_ntlmssp && 517 (global_secflags & CIFSSEC_MAY_NTLMSSP)) 518 return RawNTLMSSP; 519 if ((server->sec_kerberos || server->sec_mskerberos) && 520 (global_secflags & CIFSSEC_MAY_KRB5)) 521 return Kerberos; 522 /* Fallthrough */ 523 default: 524 return Unspecified; 525 } 526 case CIFS_NEGFLAVOR_UNENCAP: 527 switch (requested) { 528 case NTLM: 529 case NTLMv2: 530 return requested; 531 case Unspecified: 532 if (global_secflags & CIFSSEC_MAY_NTLMV2) 533 return NTLMv2; 534 if (global_secflags & CIFSSEC_MAY_NTLM) 535 return NTLM; 536 default: 537 break; 538 } 539 /* Fallthrough - to attempt LANMAN authentication next */ 540 case CIFS_NEGFLAVOR_LANMAN: 541 switch (requested) { 542 case LANMAN: 543 return requested; 544 case Unspecified: 545 if (global_secflags & CIFSSEC_MAY_LANMAN) 546 return LANMAN; 547 /* Fallthrough */ 548 default: 549 return Unspecified; 550 } 551 default: 552 return Unspecified; 553 } 554} 555 556struct sess_data { 557 unsigned int xid; 558 struct cifs_ses *ses; 559 struct nls_table *nls_cp; 560 void (*func)(struct sess_data *); 561 int result; 562 563 /* we will send the SMB in three pieces: 564 * a fixed length beginning part, an optional 565 * SPNEGO blob (which can be zero length), and a 566 * last part which will include the strings 567 * and rest of bcc area. This allows us to avoid 568 * a large buffer 17K allocation 569 */ 570 int buf0_type; 571 struct kvec iov[3]; 572}; 573 574static int 575sess_alloc_buffer(struct sess_data *sess_data, int wct) 576{ 577 int rc; 578 struct cifs_ses *ses = sess_data->ses; 579 struct smb_hdr *smb_buf; 580 581 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 582 (void **)&smb_buf); 583 584 if (rc) 585 return rc; 586 587 sess_data->iov[0].iov_base = (char *)smb_buf; 588 sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; 589 /* 590 * This variable will be used to clear the buffer 591 * allocated above in case of any error in the calling function. 592 */ 593 sess_data->buf0_type = CIFS_SMALL_BUFFER; 594 595 /* 2000 big enough to fit max user, domain, NOS name etc. */ 596 sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL); 597 if (!sess_data->iov[2].iov_base) { 598 rc = -ENOMEM; 599 goto out_free_smb_buf; 600 } 601 602 return 0; 603 604out_free_smb_buf: 605 kfree(smb_buf); 606 sess_data->iov[0].iov_base = NULL; 607 sess_data->iov[0].iov_len = 0; 608 sess_data->buf0_type = CIFS_NO_BUFFER; 609 return rc; 610} 611 612static void 613sess_free_buffer(struct sess_data *sess_data) 614{ 615 616 free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); 617 sess_data->buf0_type = CIFS_NO_BUFFER; 618 kfree(sess_data->iov[2].iov_base); 619} 620 621static int 622sess_establish_session(struct sess_data *sess_data) 623{ 624 struct cifs_ses *ses = sess_data->ses; 625 626 mutex_lock(&ses->server->srv_mutex); 627 if (!ses->server->session_estab) { 628 if (ses->server->sign) { 629 ses->server->session_key.response = 630 kmemdup(ses->auth_key.response, 631 ses->auth_key.len, GFP_KERNEL); 632 if (!ses->server->session_key.response) { 633 mutex_unlock(&ses->server->srv_mutex); 634 return -ENOMEM; 635 } 636 ses->server->session_key.len = 637 ses->auth_key.len; 638 } 639 ses->server->sequence_number = 0x2; 640 ses->server->session_estab = true; 641 } 642 mutex_unlock(&ses->server->srv_mutex); 643 644 cifs_dbg(FYI, "CIFS session established successfully\n"); 645 spin_lock(&GlobalMid_Lock); 646 ses->status = CifsGood; 647 ses->need_reconnect = false; 648 spin_unlock(&GlobalMid_Lock); 649 650 return 0; 651} 652 653static int 654sess_sendreceive(struct sess_data *sess_data) 655{ 656 int rc; 657 struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base; 658 __u16 count; 659 struct kvec rsp_iov = { NULL, 0 }; 660 661 count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len; 662 smb_buf->smb_buf_length = 663 cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count); 664 put_bcc(count, smb_buf); 665 666 rc = SendReceive2(sess_data->xid, sess_data->ses, 667 sess_data->iov, 3 /* num_iovecs */, 668 &sess_data->buf0_type, 669 CIFS_LOG_ERROR, &rsp_iov); 670 cifs_small_buf_release(sess_data->iov[0].iov_base); 671 memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec)); 672 673 return rc; 674} 675 676/* 677 * LANMAN and plaintext are less secure and off by default. 678 * So we make this explicitly be turned on in kconfig (in the 679 * build) and turned on at runtime (changed from the default) 680 * in proc/fs/cifs or via mount parm. Unfortunately this is 681 * needed for old Win (e.g. Win95), some obscure NAS and OS/2 682 */ 683#ifdef CONFIG_CIFS_WEAK_PW_HASH 684static void 685sess_auth_lanman(struct sess_data *sess_data) 686{ 687 int rc = 0; 688 struct smb_hdr *smb_buf; 689 SESSION_SETUP_ANDX *pSMB; 690 char *bcc_ptr; 691 struct cifs_ses *ses = sess_data->ses; 692 char lnm_session_key[CIFS_AUTH_RESP_SIZE]; 693 __u32 capabilities; 694 __u16 bytes_remaining; 695 696 /* lanman 2 style sessionsetup */ 697 /* wct = 10 */ 698 rc = sess_alloc_buffer(sess_data, 10); 699 if (rc) 700 goto out; 701 702 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 703 bcc_ptr = sess_data->iov[2].iov_base; 704 capabilities = cifs_ssetup_hdr(ses, pSMB); 705 706 pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE; 707 708 if (ses->user_name != NULL) { 709 /* no capabilities flags in old lanman negotiation */ 710 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE); 711 712 /* Calculate hash with password and copy into bcc_ptr. 713 * Encryption Key (stored as in cryptkey) gets used if the 714 * security mode bit in Negottiate Protocol response states 715 * to use challenge/response method (i.e. Password bit is 1). 716 */ 717 rc = calc_lanman_hash(ses->password, ses->server->cryptkey, 718 ses->server->sec_mode & SECMODE_PW_ENCRYPT ? 719 true : false, lnm_session_key); 720 if (rc) 721 goto out; 722 723 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE); 724 bcc_ptr += CIFS_AUTH_RESP_SIZE; 725 } else { 726 pSMB->old_req.PasswordLength = 0; 727 } 728 729 /* 730 * can not sign if LANMAN negotiated so no need 731 * to calculate signing key? but what if server 732 * changed to do higher than lanman dialect and 733 * we reconnected would we ever calc signing_key? 734 */ 735 736 cifs_dbg(FYI, "Negotiating LANMAN setting up strings\n"); 737 /* Unicode not allowed for LANMAN dialects */ 738 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 739 740 sess_data->iov[2].iov_len = (long) bcc_ptr - 741 (long) sess_data->iov[2].iov_base; 742 743 rc = sess_sendreceive(sess_data); 744 if (rc) 745 goto out; 746 747 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 748 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 749 750 /* lanman response has a word count of 3 */ 751 if (smb_buf->WordCount != 3) { 752 rc = -EIO; 753 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 754 goto out; 755 } 756 757 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 758 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 759 760 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 761 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 762 763 bytes_remaining = get_bcc(smb_buf); 764 bcc_ptr = pByteArea(smb_buf); 765 766 /* BB check if Unicode and decode strings */ 767 if (bytes_remaining == 0) { 768 /* no string area to decode, do nothing */ 769 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 770 /* unicode string area must be word-aligned */ 771 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 772 ++bcc_ptr; 773 --bytes_remaining; 774 } 775 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 776 sess_data->nls_cp); 777 } else { 778 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 779 sess_data->nls_cp); 780 } 781 782 rc = sess_establish_session(sess_data); 783out: 784 sess_data->result = rc; 785 sess_data->func = NULL; 786 sess_free_buffer(sess_data); 787} 788 789#endif 790 791static void 792sess_auth_ntlm(struct sess_data *sess_data) 793{ 794 int rc = 0; 795 struct smb_hdr *smb_buf; 796 SESSION_SETUP_ANDX *pSMB; 797 char *bcc_ptr; 798 struct cifs_ses *ses = sess_data->ses; 799 __u32 capabilities; 800 __u16 bytes_remaining; 801 802 /* old style NTLM sessionsetup */ 803 /* wct = 13 */ 804 rc = sess_alloc_buffer(sess_data, 13); 805 if (rc) 806 goto out; 807 808 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 809 bcc_ptr = sess_data->iov[2].iov_base; 810 capabilities = cifs_ssetup_hdr(ses, pSMB); 811 812 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 813 if (ses->user_name != NULL) { 814 pSMB->req_no_secext.CaseInsensitivePasswordLength = 815 cpu_to_le16(CIFS_AUTH_RESP_SIZE); 816 pSMB->req_no_secext.CaseSensitivePasswordLength = 817 cpu_to_le16(CIFS_AUTH_RESP_SIZE); 818 819 /* calculate ntlm response and session key */ 820 rc = setup_ntlm_response(ses, sess_data->nls_cp); 821 if (rc) { 822 cifs_dbg(VFS, "Error %d during NTLM authentication\n", 823 rc); 824 goto out; 825 } 826 827 /* copy ntlm response */ 828 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 829 CIFS_AUTH_RESP_SIZE); 830 bcc_ptr += CIFS_AUTH_RESP_SIZE; 831 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 832 CIFS_AUTH_RESP_SIZE); 833 bcc_ptr += CIFS_AUTH_RESP_SIZE; 834 } else { 835 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 836 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 837 } 838 839 if (ses->capabilities & CAP_UNICODE) { 840 /* unicode strings must be word aligned */ 841 if (sess_data->iov[0].iov_len % 2) { 842 *bcc_ptr = 0; 843 bcc_ptr++; 844 } 845 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 846 } else { 847 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 848 } 849 850 851 sess_data->iov[2].iov_len = (long) bcc_ptr - 852 (long) sess_data->iov[2].iov_base; 853 854 rc = sess_sendreceive(sess_data); 855 if (rc) 856 goto out; 857 858 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 859 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 860 861 if (smb_buf->WordCount != 3) { 862 rc = -EIO; 863 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 864 goto out; 865 } 866 867 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 868 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 869 870 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 871 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 872 873 bytes_remaining = get_bcc(smb_buf); 874 bcc_ptr = pByteArea(smb_buf); 875 876 /* BB check if Unicode and decode strings */ 877 if (bytes_remaining == 0) { 878 /* no string area to decode, do nothing */ 879 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 880 /* unicode string area must be word-aligned */ 881 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 882 ++bcc_ptr; 883 --bytes_remaining; 884 } 885 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 886 sess_data->nls_cp); 887 } else { 888 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 889 sess_data->nls_cp); 890 } 891 892 rc = sess_establish_session(sess_data); 893out: 894 sess_data->result = rc; 895 sess_data->func = NULL; 896 sess_free_buffer(sess_data); 897 kfree(ses->auth_key.response); 898 ses->auth_key.response = NULL; 899} 900 901static void 902sess_auth_ntlmv2(struct sess_data *sess_data) 903{ 904 int rc = 0; 905 struct smb_hdr *smb_buf; 906 SESSION_SETUP_ANDX *pSMB; 907 char *bcc_ptr; 908 struct cifs_ses *ses = sess_data->ses; 909 __u32 capabilities; 910 __u16 bytes_remaining; 911 912 /* old style NTLM sessionsetup */ 913 /* wct = 13 */ 914 rc = sess_alloc_buffer(sess_data, 13); 915 if (rc) 916 goto out; 917 918 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 919 bcc_ptr = sess_data->iov[2].iov_base; 920 capabilities = cifs_ssetup_hdr(ses, pSMB); 921 922 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 923 924 /* LM2 password would be here if we supported it */ 925 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 926 927 if (ses->user_name != NULL) { 928 /* calculate nlmv2 response and session key */ 929 rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp); 930 if (rc) { 931 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc); 932 goto out; 933 } 934 935 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, 936 ses->auth_key.len - CIFS_SESS_KEY_SIZE); 937 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; 938 939 /* set case sensitive password length after tilen may get 940 * assigned, tilen is 0 otherwise. 941 */ 942 pSMB->req_no_secext.CaseSensitivePasswordLength = 943 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); 944 } else { 945 pSMB->req_no_secext.CaseSensitivePasswordLength = 0; 946 } 947 948 if (ses->capabilities & CAP_UNICODE) { 949 if (sess_data->iov[0].iov_len % 2) { 950 *bcc_ptr = 0; 951 bcc_ptr++; 952 } 953 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 954 } else { 955 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 956 } 957 958 959 sess_data->iov[2].iov_len = (long) bcc_ptr - 960 (long) sess_data->iov[2].iov_base; 961 962 rc = sess_sendreceive(sess_data); 963 if (rc) 964 goto out; 965 966 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 967 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 968 969 if (smb_buf->WordCount != 3) { 970 rc = -EIO; 971 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 972 goto out; 973 } 974 975 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 976 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 977 978 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 979 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 980 981 bytes_remaining = get_bcc(smb_buf); 982 bcc_ptr = pByteArea(smb_buf); 983 984 /* BB check if Unicode and decode strings */ 985 if (bytes_remaining == 0) { 986 /* no string area to decode, do nothing */ 987 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 988 /* unicode string area must be word-aligned */ 989 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 990 ++bcc_ptr; 991 --bytes_remaining; 992 } 993 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 994 sess_data->nls_cp); 995 } else { 996 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 997 sess_data->nls_cp); 998 } 999 1000 rc = sess_establish_session(sess_data); 1001out: 1002 sess_data->result = rc; 1003 sess_data->func = NULL; 1004 sess_free_buffer(sess_data); 1005 kfree(ses->auth_key.response); 1006 ses->auth_key.response = NULL; 1007} 1008 1009#ifdef CONFIG_CIFS_UPCALL 1010static void 1011sess_auth_kerberos(struct sess_data *sess_data) 1012{ 1013 int rc = 0; 1014 struct smb_hdr *smb_buf; 1015 SESSION_SETUP_ANDX *pSMB; 1016 char *bcc_ptr; 1017 struct cifs_ses *ses = sess_data->ses; 1018 __u32 capabilities; 1019 __u16 bytes_remaining; 1020 struct key *spnego_key = NULL; 1021 struct cifs_spnego_msg *msg; 1022 u16 blob_len; 1023 1024 /* extended security */ 1025 /* wct = 12 */ 1026 rc = sess_alloc_buffer(sess_data, 12); 1027 if (rc) 1028 goto out; 1029 1030 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1031 bcc_ptr = sess_data->iov[2].iov_base; 1032 capabilities = cifs_ssetup_hdr(ses, pSMB); 1033 1034 spnego_key = cifs_get_spnego_key(ses); 1035 if (IS_ERR(spnego_key)) { 1036 rc = PTR_ERR(spnego_key); 1037 spnego_key = NULL; 1038 goto out; 1039 } 1040 1041 msg = spnego_key->payload.data[0]; 1042 /* 1043 * check version field to make sure that cifs.upcall is 1044 * sending us a response in an expected form 1045 */ 1046 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 1047 cifs_dbg(VFS, 1048 "incorrect version of cifs.upcall (expected %d but got %d)", 1049 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 1050 rc = -EKEYREJECTED; 1051 goto out_put_spnego_key; 1052 } 1053 1054 ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 1055 GFP_KERNEL); 1056 if (!ses->auth_key.response) { 1057 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory", 1058 msg->sesskey_len); 1059 rc = -ENOMEM; 1060 goto out_put_spnego_key; 1061 } 1062 ses->auth_key.len = msg->sesskey_len; 1063 1064 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1065 capabilities |= CAP_EXTENDED_SECURITY; 1066 pSMB->req.Capabilities = cpu_to_le32(capabilities); 1067 sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; 1068 sess_data->iov[1].iov_len = msg->secblob_len; 1069 pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); 1070 1071 if (ses->capabilities & CAP_UNICODE) { 1072 /* unicode strings must be word aligned */ 1073 if ((sess_data->iov[0].iov_len 1074 + sess_data->iov[1].iov_len) % 2) { 1075 *bcc_ptr = 0; 1076 bcc_ptr++; 1077 } 1078 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1079 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); 1080 } else { 1081 /* BB: is this right? */ 1082 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); 1083 } 1084 1085 sess_data->iov[2].iov_len = (long) bcc_ptr - 1086 (long) sess_data->iov[2].iov_base; 1087 1088 rc = sess_sendreceive(sess_data); 1089 if (rc) 1090 goto out_put_spnego_key; 1091 1092 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1093 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1094 1095 if (smb_buf->WordCount != 4) { 1096 rc = -EIO; 1097 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1098 goto out_put_spnego_key; 1099 } 1100 1101 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1102 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1103 1104 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1105 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1106 1107 bytes_remaining = get_bcc(smb_buf); 1108 bcc_ptr = pByteArea(smb_buf); 1109 1110 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1111 if (blob_len > bytes_remaining) { 1112 cifs_dbg(VFS, "bad security blob length %d\n", 1113 blob_len); 1114 rc = -EINVAL; 1115 goto out_put_spnego_key; 1116 } 1117 bcc_ptr += blob_len; 1118 bytes_remaining -= blob_len; 1119 1120 /* BB check if Unicode and decode strings */ 1121 if (bytes_remaining == 0) { 1122 /* no string area to decode, do nothing */ 1123 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1124 /* unicode string area must be word-aligned */ 1125 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 1126 ++bcc_ptr; 1127 --bytes_remaining; 1128 } 1129 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1130 sess_data->nls_cp); 1131 } else { 1132 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1133 sess_data->nls_cp); 1134 } 1135 1136 rc = sess_establish_session(sess_data); 1137out_put_spnego_key: 1138 key_invalidate(spnego_key); 1139 key_put(spnego_key); 1140out: 1141 sess_data->result = rc; 1142 sess_data->func = NULL; 1143 sess_free_buffer(sess_data); 1144 kfree(ses->auth_key.response); 1145 ses->auth_key.response = NULL; 1146} 1147 1148#endif /* ! CONFIG_CIFS_UPCALL */ 1149 1150/* 1151 * The required kvec buffers have to be allocated before calling this 1152 * function. 1153 */ 1154static int 1155_sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data) 1156{ 1157 SESSION_SETUP_ANDX *pSMB; 1158 struct cifs_ses *ses = sess_data->ses; 1159 __u32 capabilities; 1160 char *bcc_ptr; 1161 1162 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1163 1164 capabilities = cifs_ssetup_hdr(ses, pSMB); 1165 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 1166 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); 1167 return -ENOSYS; 1168 } 1169 1170 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 1171 capabilities |= CAP_EXTENDED_SECURITY; 1172 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 1173 1174 bcc_ptr = sess_data->iov[2].iov_base; 1175 /* unicode strings must be word aligned */ 1176 if ((sess_data->iov[0].iov_len + sess_data->iov[1].iov_len) % 2) { 1177 *bcc_ptr = 0; 1178 bcc_ptr++; 1179 } 1180 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); 1181 1182 sess_data->iov[2].iov_len = (long) bcc_ptr - 1183 (long) sess_data->iov[2].iov_base; 1184 1185 return 0; 1186} 1187 1188static void 1189sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data); 1190 1191static void 1192sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data) 1193{ 1194 int rc; 1195 struct smb_hdr *smb_buf; 1196 SESSION_SETUP_ANDX *pSMB; 1197 struct cifs_ses *ses = sess_data->ses; 1198 __u16 bytes_remaining; 1199 char *bcc_ptr; 1200 u16 blob_len; 1201 1202 cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n"); 1203 1204 /* 1205 * if memory allocation is successful, caller of this function 1206 * frees it. 1207 */ 1208 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); 1209 if (!ses->ntlmssp) { 1210 rc = -ENOMEM; 1211 goto out; 1212 } 1213 ses->ntlmssp->sesskey_per_smbsess = false; 1214 1215 /* wct = 12 */ 1216 rc = sess_alloc_buffer(sess_data, 12); 1217 if (rc) 1218 goto out; 1219 1220 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1221 1222 /* Build security blob before we assemble the request */ 1223 build_ntlmssp_negotiate_blob(pSMB->req.SecurityBlob, ses); 1224 sess_data->iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE); 1225 sess_data->iov[1].iov_base = pSMB->req.SecurityBlob; 1226 pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE)); 1227 1228 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1229 if (rc) 1230 goto out; 1231 1232 rc = sess_sendreceive(sess_data); 1233 1234 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1235 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1236 1237 /* If true, rc here is expected and not an error */ 1238 if (sess_data->buf0_type != CIFS_NO_BUFFER && 1239 smb_buf->Status.CifsError == 1240 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) 1241 rc = 0; 1242 1243 if (rc) 1244 goto out; 1245 1246 cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n"); 1247 1248 if (smb_buf->WordCount != 4) { 1249 rc = -EIO; 1250 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1251 goto out; 1252 } 1253 1254 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 1255 cifs_dbg(FYI, "UID = %llu\n", ses->Suid); 1256 1257 bytes_remaining = get_bcc(smb_buf); 1258 bcc_ptr = pByteArea(smb_buf); 1259 1260 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1261 if (blob_len > bytes_remaining) { 1262 cifs_dbg(VFS, "bad security blob length %d\n", 1263 blob_len); 1264 rc = -EINVAL; 1265 goto out; 1266 } 1267 1268 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 1269out: 1270 sess_free_buffer(sess_data); 1271 1272 if (!rc) { 1273 sess_data->func = sess_auth_rawntlmssp_authenticate; 1274 return; 1275 } 1276 1277 /* Else error. Cleanup */ 1278 kfree(ses->auth_key.response); 1279 ses->auth_key.response = NULL; 1280 kfree(ses->ntlmssp); 1281 ses->ntlmssp = NULL; 1282 1283 sess_data->func = NULL; 1284 sess_data->result = rc; 1285} 1286 1287static void 1288sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data) 1289{ 1290 int rc; 1291 struct smb_hdr *smb_buf; 1292 SESSION_SETUP_ANDX *pSMB; 1293 struct cifs_ses *ses = sess_data->ses; 1294 __u16 bytes_remaining; 1295 char *bcc_ptr; 1296 unsigned char *ntlmsspblob = NULL; 1297 u16 blob_len; 1298 1299 cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n"); 1300 1301 /* wct = 12 */ 1302 rc = sess_alloc_buffer(sess_data, 12); 1303 if (rc) 1304 goto out; 1305 1306 /* Build security blob before we assemble the request */ 1307 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1308 smb_buf = (struct smb_hdr *)pSMB; 1309 rc = build_ntlmssp_auth_blob(&ntlmsspblob, 1310 &blob_len, ses, sess_data->nls_cp); 1311 if (rc) 1312 goto out_free_ntlmsspblob; 1313 sess_data->iov[1].iov_len = blob_len; 1314 sess_data->iov[1].iov_base = ntlmsspblob; 1315 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); 1316 /* 1317 * Make sure that we tell the server that we are using 1318 * the uid that it just gave us back on the response 1319 * (challenge) 1320 */ 1321 smb_buf->Uid = ses->Suid; 1322 1323 rc = _sess_auth_rawntlmssp_assemble_req(sess_data); 1324 if (rc) 1325 goto out_free_ntlmsspblob; 1326 1327 rc = sess_sendreceive(sess_data); 1328 if (rc) 1329 goto out_free_ntlmsspblob; 1330 1331 pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base; 1332 smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base; 1333 if (smb_buf->WordCount != 4) { 1334 rc = -EIO; 1335 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); 1336 goto out_free_ntlmsspblob; 1337 } 1338 1339 if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN) 1340 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ 1341 1342 if (ses->Suid != smb_buf->Uid) { 1343 ses->Suid = smb_buf->Uid; 1344 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid); 1345 } 1346 1347 bytes_remaining = get_bcc(smb_buf); 1348 bcc_ptr = pByteArea(smb_buf); 1349 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 1350 if (blob_len > bytes_remaining) { 1351 cifs_dbg(VFS, "bad security blob length %d\n", 1352 blob_len); 1353 rc = -EINVAL; 1354 goto out_free_ntlmsspblob; 1355 } 1356 bcc_ptr += blob_len; 1357 bytes_remaining -= blob_len; 1358 1359 1360 /* BB check if Unicode and decode strings */ 1361 if (bytes_remaining == 0) { 1362 /* no string area to decode, do nothing */ 1363 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 1364 /* unicode string area must be word-aligned */ 1365 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 1366 ++bcc_ptr; 1367 --bytes_remaining; 1368 } 1369 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, 1370 sess_data->nls_cp); 1371 } else { 1372 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, 1373 sess_data->nls_cp); 1374 } 1375 1376out_free_ntlmsspblob: 1377 kfree(ntlmsspblob); 1378out: 1379 sess_free_buffer(sess_data); 1380 1381 if (!rc) 1382 rc = sess_establish_session(sess_data); 1383 1384 /* Cleanup */ 1385 kfree(ses->auth_key.response); 1386 ses->auth_key.response = NULL; 1387 kfree(ses->ntlmssp); 1388 ses->ntlmssp = NULL; 1389 1390 sess_data->func = NULL; 1391 sess_data->result = rc; 1392} 1393 1394static int select_sec(struct cifs_ses *ses, struct sess_data *sess_data) 1395{ 1396 int type; 1397 1398 type = cifs_select_sectype(ses->server, ses->sectype); 1399 cifs_dbg(FYI, "sess setup type %d\n", type); 1400 if (type == Unspecified) { 1401 cifs_dbg(VFS, 1402 "Unable to select appropriate authentication method!"); 1403 return -EINVAL; 1404 } 1405 1406 switch (type) { 1407 case LANMAN: 1408 /* LANMAN and plaintext are less secure and off by default. 1409 * So we make this explicitly be turned on in kconfig (in the 1410 * build) and turned on at runtime (changed from the default) 1411 * in proc/fs/cifs or via mount parm. Unfortunately this is 1412 * needed for old Win (e.g. Win95), some obscure NAS and OS/2 */ 1413#ifdef CONFIG_CIFS_WEAK_PW_HASH 1414 sess_data->func = sess_auth_lanman; 1415 break; 1416#else 1417 return -EOPNOTSUPP; 1418#endif 1419 case NTLM: 1420 sess_data->func = sess_auth_ntlm; 1421 break; 1422 case NTLMv2: 1423 sess_data->func = sess_auth_ntlmv2; 1424 break; 1425 case Kerberos: 1426#ifdef CONFIG_CIFS_UPCALL 1427 sess_data->func = sess_auth_kerberos; 1428 break; 1429#else 1430 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); 1431 return -ENOSYS; 1432 break; 1433#endif /* CONFIG_CIFS_UPCALL */ 1434 case RawNTLMSSP: 1435 sess_data->func = sess_auth_rawntlmssp_negotiate; 1436 break; 1437 default: 1438 cifs_dbg(VFS, "secType %d not supported!\n", type); 1439 return -ENOSYS; 1440 } 1441 1442 return 0; 1443} 1444 1445int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, 1446 const struct nls_table *nls_cp) 1447{ 1448 int rc = 0; 1449 struct sess_data *sess_data; 1450 1451 if (ses == NULL) { 1452 WARN(1, "%s: ses == NULL!", __func__); 1453 return -EINVAL; 1454 } 1455 1456 sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL); 1457 if (!sess_data) 1458 return -ENOMEM; 1459 1460 rc = select_sec(ses, sess_data); 1461 if (rc) 1462 goto out; 1463 1464 sess_data->xid = xid; 1465 sess_data->ses = ses; 1466 sess_data->buf0_type = CIFS_NO_BUFFER; 1467 sess_data->nls_cp = (struct nls_table *) nls_cp; 1468 1469 while (sess_data->func) 1470 sess_data->func(sess_data); 1471 1472 /* Store result before we free sess_data */ 1473 rc = sess_data->result; 1474 1475out: 1476 kfree(sess_data); 1477 return rc; 1478}