commit 69ea8b857782ea56d9db01e2f57f9067abd3f013 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6

Pull CIFS fixes from Steve French:
"Four fixes from testing at the recent SMB3 Plugfest including two
important authentication ones (one fixes authentication problems to
some popular servers when clock times differ more than two hours
between systems, the other fixes Kerberos authentication for SMB3)"

* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
fix encryption error checks on mount
[SMB3] Fix sec=krb5 on smb3 mounts
cifs: use server timestamp for ntlmv2 authentication
disabling oplocks/leases via module parm enable_oplocks broken for SMB3

Linus Torvalds 10 years ago 69ea8b85 d8cc3972

+126 -19

3 changed files

expand all

unified split

cifs

cifsencrypt.c

smb2ops.c

smb2pdu.c

+51 -2

fs/cifs/cifsencrypt.c

··· 444 return 0; 445 } 446 447 static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash, 448 const struct nls_table *nls_cp) 449 { ··· 683 struct ntlmv2_resp *ntlmv2; 684 char ntlmv2_hash[16]; 685 unsigned char *tiblob = NULL; /* target info blob */ 686 687 if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) { 688 if (!ses->domainName) { ··· 702 } 703 } 704 705 baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp); 706 tilen = ses->auth_key.len; 707 tiblob = ses->auth_key.response; ··· 724 (ses->auth_key.response + CIFS_SESS_KEY_SIZE); 725 ntlmv2->blob_signature = cpu_to_le32(0x00000101); 726 ntlmv2->reserved = 0; 727 - /* Must be within 5 minutes of the server */ 728 - ntlmv2->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME)); 729 get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal)); 730 ntlmv2->reserved2 = 0; 731

··· 444 return 0; 445 } 446 447 + /* Server has provided av pairs/target info in the type 2 challenge 448 + * packet and we have plucked it and stored within smb session. 449 + * We parse that blob here to find the server given timestamp 450 + * as part of ntlmv2 authentication (or local current time as 451 + * default in case of failure) 452 + */ 453 + static __le64 454 + find_timestamp(struct cifs_ses *ses) 455 + { 456 + unsigned int attrsize; 457 + unsigned int type; 458 + unsigned int onesize = sizeof(struct ntlmssp2_name); 459 + unsigned char *blobptr; 460 + unsigned char *blobend; 461 + struct ntlmssp2_name *attrptr; 462 + 463 + if (!ses->auth_key.len || !ses->auth_key.response) 464 + return 0; 465 + 466 + blobptr = ses->auth_key.response; 467 + blobend = blobptr + ses->auth_key.len; 468 + 469 + while (blobptr + onesize < blobend) { 470 + attrptr = (struct ntlmssp2_name *) blobptr; 471 + type = le16_to_cpu(attrptr->type); 472 + if (type == NTLMSSP_AV_EOL) 473 + break; 474 + blobptr += 2; /* advance attr type */ 475 + attrsize = le16_to_cpu(attrptr->length); 476 + blobptr += 2; /* advance attr size */ 477 + if (blobptr + attrsize > blobend) 478 + break; 479 + if (type == NTLMSSP_AV_TIMESTAMP) { 480 + if (attrsize == sizeof(u64)) 481 + return *((__le64 *)blobptr); 482 + } 483 + blobptr += attrsize; /* advance attr value */ 484 + } 485 + 486 + return cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME)); 487 + } 488 + 489 static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash, 490 const struct nls_table *nls_cp) 491 { ··· 641 struct ntlmv2_resp *ntlmv2; 642 char ntlmv2_hash[16]; 643 unsigned char *tiblob = NULL; /* target info blob */ 644 + __le64 rsp_timestamp; 645 646 if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) { 647 if (!ses->domainName) { ··· 659 } 660 } 661 662 + /* Must be within 5 minutes of the server (or in range +/-2h 663 + * in case of Mac OS X), so simply carry over server timestamp 664 + * (as Windows 7 does) 665 + */ 666 + rsp_timestamp = find_timestamp(ses); 667 + 668 baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp); 669 tilen = ses->auth_key.len; 670 tiblob = ses->auth_key.response; ··· 675 (ses->auth_key.response + CIFS_SESS_KEY_SIZE); 676 ntlmv2->blob_signature = cpu_to_le32(0x00000101); 677 ntlmv2->reserved = 0; 678 + ntlmv2->time = rsp_timestamp; 679 + 680 get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal)); 681 ntlmv2->reserved2 = 0; 682

+6 -2

fs/cifs/smb2ops.c

··· 50 break; 51 default: 52 server->echoes = true; 53 - server->oplocks = true; 54 server->echo_credits = 1; 55 - server->oplock_credits = 1; 56 } 57 server->credits -= server->echo_credits + server->oplock_credits; 58 return 0;

··· 50 break; 51 default: 52 server->echoes = true; 53 + if (enable_oplocks) { 54 + server->oplocks = true; 55 + server->oplock_credits = 1; 56 + } else 57 + server->oplocks = false; 58 + 59 server->echo_credits = 1; 60 } 61 server->credits -= server->echo_credits + server->oplock_credits; 62 return 0;

+69 -15

fs/cifs/smb2pdu.c

··· 46 #include "smb2status.h" 47 #include "smb2glob.h" 48 #include "cifspdu.h" 49 50 /* 51 * The following table defines the expected "StructureSize" of SMB2 requests ··· 487 cifs_dbg(FYI, "missing security blob on negprot\n"); 488 489 rc = cifs_enable_signing(server, ses->sign); 490 - #ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */ 491 if (rc) 492 goto neg_exit; 493 - if (blob_length) 494 rc = decode_negTokenInit(security_blob, blob_length, server); 495 - if (rc == 1) 496 - rc = 0; 497 - else if (rc == 0) { 498 - rc = -EIO; 499 - goto neg_exit; 500 } 501 - #endif 502 - 503 neg_exit: 504 free_rsp_buf(resp_buftype, rsp); 505 return rc; ··· 589 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ 590 struct TCP_Server_Info *server = ses->server; 591 u16 blob_length = 0; 592 - char *security_blob; 593 char *ntlmssp_blob = NULL; 594 bool use_spnego = false; /* else use raw ntlmssp */ 595 ··· 618 ses->ntlmssp->sesskey_per_smbsess = true; 619 620 /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */ 621 - ses->sectype = RawNTLMSSP; 622 623 ssetup_ntlmssp_authenticate: 624 if (phase == NtLmChallenge) ··· 648 iov[0].iov_base = (char *)req; 649 /* 4 for rfc1002 length field and 1 for pad */ 650 iov[0].iov_len = get_rfc1002_length(req) + 4 - 1; 651 - if (phase == NtLmNegotiate) { 652 ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE), 653 GFP_KERNEL); 654 if (ntlmssp_blob == NULL) { ··· 712 /* with raw NTLMSSP we don't encapsulate in SPNEGO */ 713 security_blob = ntlmssp_blob; 714 } 715 } else if (phase == NtLmAuthenticate) { 716 req->hdr.SessionId = ses->Suid; 717 ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500, ··· 741 } else { 742 security_blob = ntlmssp_blob; 743 } 744 } else { 745 cifs_dbg(VFS, "illegal ntlmssp phase\n"); 746 rc = -EIO; ··· 754 cpu_to_le16(sizeof(struct smb2_sess_setup_req) - 755 1 /* pad */ - 4 /* rfc1001 len */); 756 req->SecurityBufferLength = cpu_to_le16(blob_length); 757 - iov[1].iov_base = security_blob; 758 - iov[1].iov_len = blob_length; 759 760 inc_rfc1001_len(req, blob_length - 1 /* pad */); 761 ··· 764 765 kfree(security_blob); 766 rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base; 767 if (resp_buftype != CIFS_NO_BUFFER && 768 rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) { 769 if (phase != NtLmNegotiate) { ··· 782 /* NTLMSSP Negotiate sent now processing challenge (response) */ 783 phase = NtLmChallenge; /* process ntlmssp challenge */ 784 rc = 0; /* MORE_PROCESSING is not an error here but expected */ 785 - ses->Suid = rsp->hdr.SessionId; 786 rc = decode_ntlmssp_challenge(rsp->Buffer, 787 le16_to_cpu(rsp->SecurityBufferLength), ses); 788 } ··· 837 if (!server->sign) { 838 kfree(ses->auth_key.response); 839 ses->auth_key.response = NULL; 840 } 841 kfree(ses->ntlmssp); 842 ··· 922 if (tcon && tcon->bad_network_name) 923 return -ENOENT; 924 925 unc_path = kmalloc(MAX_SHARENAME_LENGTH * 2, GFP_KERNEL); 926 if (unc_path == NULL) 927 return -ENOMEM; ··· 1007 ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0)) 1008 cifs_dbg(VFS, "DFS capability contradicts DFS flag\n"); 1009 init_copy_chunk_defaults(tcon); 1010 if (tcon->ses->server->ops->validate_negotiate) 1011 rc = tcon->ses->server->ops->validate_negotiate(xid, tcon); 1012 tcon_exit:

··· 46 #include "smb2status.h" 47 #include "smb2glob.h" 48 #include "cifspdu.h" 49 + #include "cifs_spnego.h" 50 51 /* 52 * The following table defines the expected "StructureSize" of SMB2 requests ··· 486 cifs_dbg(FYI, "missing security blob on negprot\n"); 487 488 rc = cifs_enable_signing(server, ses->sign); 489 if (rc) 490 goto neg_exit; 491 + if (blob_length) { 492 rc = decode_negTokenInit(security_blob, blob_length, server); 493 + if (rc == 1) 494 + rc = 0; 495 + else if (rc == 0) 496 + rc = -EIO; 497 } 498 neg_exit: 499 free_rsp_buf(resp_buftype, rsp); 500 return rc; ··· 592 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ 593 struct TCP_Server_Info *server = ses->server; 594 u16 blob_length = 0; 595 + struct key *spnego_key = NULL; 596 + char *security_blob = NULL; 597 char *ntlmssp_blob = NULL; 598 bool use_spnego = false; /* else use raw ntlmssp */ 599 ··· 620 ses->ntlmssp->sesskey_per_smbsess = true; 621 622 /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */ 623 + if (ses->sectype != Kerberos && ses->sectype != RawNTLMSSP) 624 + ses->sectype = RawNTLMSSP; 625 626 ssetup_ntlmssp_authenticate: 627 if (phase == NtLmChallenge) ··· 649 iov[0].iov_base = (char *)req; 650 /* 4 for rfc1002 length field and 1 for pad */ 651 iov[0].iov_len = get_rfc1002_length(req) + 4 - 1; 652 + 653 + if (ses->sectype == Kerberos) { 654 + #ifdef CONFIG_CIFS_UPCALL 655 + struct cifs_spnego_msg *msg; 656 + 657 + spnego_key = cifs_get_spnego_key(ses); 658 + if (IS_ERR(spnego_key)) { 659 + rc = PTR_ERR(spnego_key); 660 + spnego_key = NULL; 661 + goto ssetup_exit; 662 + } 663 + 664 + msg = spnego_key->payload.data; 665 + /* 666 + * check version field to make sure that cifs.upcall is 667 + * sending us a response in an expected form 668 + */ 669 + if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 670 + cifs_dbg(VFS, 671 + "bad cifs.upcall version. Expected %d got %d", 672 + CIFS_SPNEGO_UPCALL_VERSION, msg->version); 673 + rc = -EKEYREJECTED; 674 + goto ssetup_exit; 675 + } 676 + ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, 677 + GFP_KERNEL); 678 + if (!ses->auth_key.response) { 679 + cifs_dbg(VFS, 680 + "Kerberos can't allocate (%u bytes) memory", 681 + msg->sesskey_len); 682 + rc = -ENOMEM; 683 + goto ssetup_exit; 684 + } 685 + ses->auth_key.len = msg->sesskey_len; 686 + blob_length = msg->secblob_len; 687 + iov[1].iov_base = msg->data + msg->sesskey_len; 688 + iov[1].iov_len = blob_length; 689 + #else 690 + rc = -EOPNOTSUPP; 691 + goto ssetup_exit; 692 + #endif /* CONFIG_CIFS_UPCALL */ 693 + } else if (phase == NtLmNegotiate) { /* if not krb5 must be ntlmssp */ 694 ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE), 695 GFP_KERNEL); 696 if (ntlmssp_blob == NULL) { ··· 672 /* with raw NTLMSSP we don't encapsulate in SPNEGO */ 673 security_blob = ntlmssp_blob; 674 } 675 + iov[1].iov_base = security_blob; 676 + iov[1].iov_len = blob_length; 677 } else if (phase == NtLmAuthenticate) { 678 req->hdr.SessionId = ses->Suid; 679 ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500, ··· 699 } else { 700 security_blob = ntlmssp_blob; 701 } 702 + iov[1].iov_base = security_blob; 703 + iov[1].iov_len = blob_length; 704 } else { 705 cifs_dbg(VFS, "illegal ntlmssp phase\n"); 706 rc = -EIO; ··· 710 cpu_to_le16(sizeof(struct smb2_sess_setup_req) - 711 1 /* pad */ - 4 /* rfc1001 len */); 712 req->SecurityBufferLength = cpu_to_le16(blob_length); 713 714 inc_rfc1001_len(req, blob_length - 1 /* pad */); 715 ··· 722 723 kfree(security_blob); 724 rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base; 725 + ses->Suid = rsp->hdr.SessionId; 726 if (resp_buftype != CIFS_NO_BUFFER && 727 rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) { 728 if (phase != NtLmNegotiate) { ··· 739 /* NTLMSSP Negotiate sent now processing challenge (response) */ 740 phase = NtLmChallenge; /* process ntlmssp challenge */ 741 rc = 0; /* MORE_PROCESSING is not an error here but expected */ 742 rc = decode_ntlmssp_challenge(rsp->Buffer, 743 le16_to_cpu(rsp->SecurityBufferLength), ses); 744 } ··· 795 if (!server->sign) { 796 kfree(ses->auth_key.response); 797 ses->auth_key.response = NULL; 798 + } 799 + if (spnego_key) { 800 + key_invalidate(spnego_key); 801 + key_put(spnego_key); 802 } 803 kfree(ses->ntlmssp); 804 ··· 876 if (tcon && tcon->bad_network_name) 877 return -ENOENT; 878 879 + if ((tcon->seal) && 880 + ((ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) == 0)) { 881 + cifs_dbg(VFS, "encryption requested but no server support"); 882 + return -EOPNOTSUPP; 883 + } 884 + 885 unc_path = kmalloc(MAX_SHARENAME_LENGTH * 2, GFP_KERNEL); 886 if (unc_path == NULL) 887 return -ENOMEM; ··· 955 ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0)) 956 cifs_dbg(VFS, "DFS capability contradicts DFS flag\n"); 957 init_copy_chunk_defaults(tcon); 958 + if (tcon->share_flags & SHI1005_FLAGS_ENCRYPT_DATA) 959 + cifs_dbg(VFS, "Encrypted shares not supported"); 960 if (tcon->ses->server->ops->validate_negotiate) 961 rc = tcon->ses->server->ops->validate_negotiate(xid, tcon); 962 tcon_exit: