sess.c revision 3f9bcca7820a6711307b6499952b13cfcfc31dd6
1/* 2 * fs/cifs/sess.c 3 * 4 * SMB/CIFS session setup handling routines 5 * 6 * Copyright (c) International Business Machines Corp., 2006, 2009 7 * Author(s): Steve French (sfrench@us.ibm.com) 8 * 9 * This library is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU Lesser General Public License as published 11 * by the Free Software Foundation; either version 2.1 of the License, or 12 * (at your option) any later version. 13 * 14 * This library is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 17 * the GNU Lesser General Public License for more details. 18 * 19 * You should have received a copy of the GNU Lesser General Public License 20 * along with this library; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 */ 23 24#include "cifspdu.h" 25#include "cifsglob.h" 26#include "cifsproto.h" 27#include "cifs_unicode.h" 28#include "cifs_debug.h" 29#include "ntlmssp.h" 30#include "nterr.h" 31#include <linux/utsname.h> 32#include <linux/slab.h> 33#include "cifs_spnego.h" 34 35extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8, 36 unsigned char *p24); 37 38/* 39 * Checks if this is the first smb session to be reconnected after 40 * the socket has been reestablished (so we know whether to use vc 0). 41 * Called while holding the cifs_tcp_ses_lock, so do not block 42 */ 43static bool is_first_ses_reconnect(struct cifsSesInfo *ses) 44{ 45 struct list_head *tmp; 46 struct cifsSesInfo *tmp_ses; 47 48 list_for_each(tmp, &ses->server->smb_ses_list) { 49 tmp_ses = list_entry(tmp, struct cifsSesInfo, 50 smb_ses_list); 51 if (tmp_ses->need_reconnect == false) 52 return false; 53 } 54 /* could not find a session that was already connected, 55 this must be the first one we are reconnecting */ 56 return true; 57} 58 59/* 60 * vc number 0 is treated specially by some servers, and should be the 61 * first one we request. After that we can use vcnumbers up to maxvcs, 62 * one for each smb session (some Windows versions set maxvcs incorrectly 63 * so maxvc=1 can be ignored). If we have too many vcs, we can reuse 64 * any vc but zero (some servers reset the connection on vcnum zero) 65 * 66 */ 67static __le16 get_next_vcnum(struct cifsSesInfo *ses) 68{ 69 __u16 vcnum = 0; 70 struct list_head *tmp; 71 struct cifsSesInfo *tmp_ses; 72 __u16 max_vcs = ses->server->max_vcs; 73 __u16 i; 74 int free_vc_found = 0; 75 76 /* Quoting the MS-SMB specification: "Windows-based SMB servers set this 77 field to one but do not enforce this limit, which allows an SMB client 78 to establish more virtual circuits than allowed by this value ... but 79 other server implementations can enforce this limit." */ 80 if (max_vcs < 2) 81 max_vcs = 0xFFFF; 82 83 spin_lock(&cifs_tcp_ses_lock); 84 if ((ses->need_reconnect) && is_first_ses_reconnect(ses)) 85 goto get_vc_num_exit; /* vcnum will be zero */ 86 for (i = ses->server->srv_count - 1; i < max_vcs; i++) { 87 if (i == 0) /* this is the only connection, use vc 0 */ 88 break; 89 90 free_vc_found = 1; 91 92 list_for_each(tmp, &ses->server->smb_ses_list) { 93 tmp_ses = list_entry(tmp, struct cifsSesInfo, 94 smb_ses_list); 95 if (tmp_ses->vcnum == i) { 96 free_vc_found = 0; 97 break; /* found duplicate, try next vcnum */ 98 } 99 } 100 if (free_vc_found) 101 break; /* we found a vcnumber that will work - use it */ 102 } 103 104 if (i == 0) 105 vcnum = 0; /* for most common case, ie if one smb session, use 106 vc zero. Also for case when no free vcnum, zero 107 is safest to send (some clients only send zero) */ 108 else if (free_vc_found == 0) 109 vcnum = 1; /* we can not reuse vc=0 safely, since some servers 110 reset all uids on that, but 1 is ok. */ 111 else 112 vcnum = i; 113 ses->vcnum = vcnum; 114get_vc_num_exit: 115 spin_unlock(&cifs_tcp_ses_lock); 116 117 return cpu_to_le16(vcnum); 118} 119 120static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB) 121{ 122 __u32 capabilities = 0; 123 124 /* init fields common to all four types of SessSetup */ 125 /* Note that offsets for first seven fields in req struct are same */ 126 /* in CIFS Specs so does not matter which of 3 forms of struct */ 127 /* that we use in next few lines */ 128 /* Note that header is initialized to zero in header_assemble */ 129 pSMB->req.AndXCommand = 0xFF; 130 pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf); 131 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq); 132 pSMB->req.VcNumber = get_next_vcnum(ses); 133 134 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ 135 136 /* BB verify whether signing required on neg or just on auth frame 137 (and NTLM case) */ 138 139 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | 140 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; 141 142 if (ses->server->secMode & 143 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) 144 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; 145 146 if (ses->capabilities & CAP_UNICODE) { 147 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; 148 capabilities |= CAP_UNICODE; 149 } 150 if (ses->capabilities & CAP_STATUS32) { 151 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; 152 capabilities |= CAP_STATUS32; 153 } 154 if (ses->capabilities & CAP_DFS) { 155 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; 156 capabilities |= CAP_DFS; 157 } 158 if (ses->capabilities & CAP_UNIX) 159 capabilities |= CAP_UNIX; 160 161 return capabilities; 162} 163 164static void 165unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) 166{ 167 char *bcc_ptr = *pbcc_area; 168 int bytes_ret = 0; 169 170 /* Copy OS version */ 171 bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32, 172 nls_cp); 173 bcc_ptr += 2 * bytes_ret; 174 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release, 175 32, nls_cp); 176 bcc_ptr += 2 * bytes_ret; 177 bcc_ptr += 2; /* trailing null */ 178 179 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, 180 32, nls_cp); 181 bcc_ptr += 2 * bytes_ret; 182 bcc_ptr += 2; /* trailing null */ 183 184 *pbcc_area = bcc_ptr; 185} 186 187static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses, 188 const struct nls_table *nls_cp) 189{ 190 char *bcc_ptr = *pbcc_area; 191 int bytes_ret = 0; 192 193 /* copy domain */ 194 if (ses->domainName == NULL) { 195 /* Sending null domain better than using a bogus domain name (as 196 we did briefly in 2.6.18) since server will use its default */ 197 *bcc_ptr = 0; 198 *(bcc_ptr+1) = 0; 199 bytes_ret = 0; 200 } else 201 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName, 202 256, nls_cp); 203 bcc_ptr += 2 * bytes_ret; 204 bcc_ptr += 2; /* account for null terminator */ 205 206 *pbcc_area = bcc_ptr; 207} 208 209 210static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, 211 const struct nls_table *nls_cp) 212{ 213 char *bcc_ptr = *pbcc_area; 214 int bytes_ret = 0; 215 216 /* BB FIXME add check that strings total less 217 than 335 or will need to send them as arrays */ 218 219 /* unicode strings, must be word aligned before the call */ 220/* if ((long) bcc_ptr % 2) { 221 *bcc_ptr = 0; 222 bcc_ptr++; 223 } */ 224 /* copy user */ 225 if (ses->userName == NULL) { 226 /* null user mount */ 227 *bcc_ptr = 0; 228 *(bcc_ptr+1) = 0; 229 } else { 230 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName, 231 MAX_USERNAME_SIZE, nls_cp); 232 } 233 bcc_ptr += 2 * bytes_ret; 234 bcc_ptr += 2; /* account for null termination */ 235 236 unicode_domain_string(&bcc_ptr, ses, nls_cp); 237 unicode_oslm_strings(&bcc_ptr, nls_cp); 238 239 *pbcc_area = bcc_ptr; 240} 241 242static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, 243 const struct nls_table *nls_cp) 244{ 245 char *bcc_ptr = *pbcc_area; 246 247 /* copy user */ 248 /* BB what about null user mounts - check that we do this BB */ 249 /* copy user */ 250 if (ses->userName == NULL) { 251 /* BB what about null user mounts - check that we do this BB */ 252 } else { 253 strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE); 254 } 255 bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE); 256 *bcc_ptr = 0; 257 bcc_ptr++; /* account for null termination */ 258 259 /* copy domain */ 260 261 if (ses->domainName != NULL) { 262 strncpy(bcc_ptr, ses->domainName, 256); 263 bcc_ptr += strnlen(ses->domainName, 256); 264 } /* else we will send a null domain name 265 so the server will default to its own domain */ 266 *bcc_ptr = 0; 267 bcc_ptr++; 268 269 /* BB check for overflow here */ 270 271 strcpy(bcc_ptr, "Linux version "); 272 bcc_ptr += strlen("Linux version "); 273 strcpy(bcc_ptr, init_utsname()->release); 274 bcc_ptr += strlen(init_utsname()->release) + 1; 275 276 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); 277 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; 278 279 *pbcc_area = bcc_ptr; 280} 281 282static void 283decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses, 284 const struct nls_table *nls_cp) 285{ 286 int len; 287 char *data = *pbcc_area; 288 289 cFYI(1, "bleft %d", bleft); 290 291 /* 292 * Windows servers do not always double null terminate their final 293 * Unicode string. Check to see if there are an uneven number of bytes 294 * left. If so, then add an extra NULL pad byte to the end of the 295 * response. 296 * 297 * See section 2.7.2 in "Implementing CIFS" for details 298 */ 299 if (bleft % 2) { 300 data[bleft] = 0; 301 ++bleft; 302 } 303 304 kfree(ses->serverOS); 305 ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp); 306 cFYI(1, "serverOS=%s", ses->serverOS); 307 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 308 data += len; 309 bleft -= len; 310 if (bleft <= 0) 311 return; 312 313 kfree(ses->serverNOS); 314 ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp); 315 cFYI(1, "serverNOS=%s", ses->serverNOS); 316 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; 317 data += len; 318 bleft -= len; 319 if (bleft <= 0) 320 return; 321 322 kfree(ses->serverDomain); 323 ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp); 324 cFYI(1, "serverDomain=%s", ses->serverDomain); 325 326 return; 327} 328 329static int decode_ascii_ssetup(char **pbcc_area, int bleft, 330 struct cifsSesInfo *ses, 331 const struct nls_table *nls_cp) 332{ 333 int rc = 0; 334 int len; 335 char *bcc_ptr = *pbcc_area; 336 337 cFYI(1, "decode sessetup ascii. bleft %d", bleft); 338 339 len = strnlen(bcc_ptr, bleft); 340 if (len >= bleft) 341 return rc; 342 343 kfree(ses->serverOS); 344 345 ses->serverOS = kzalloc(len + 1, GFP_KERNEL); 346 if (ses->serverOS) 347 strncpy(ses->serverOS, bcc_ptr, len); 348 if (strncmp(ses->serverOS, "OS/2", 4) == 0) { 349 cFYI(1, "OS/2 server"); 350 ses->flags |= CIFS_SES_OS2; 351 } 352 353 bcc_ptr += len + 1; 354 bleft -= len + 1; 355 356 len = strnlen(bcc_ptr, bleft); 357 if (len >= bleft) 358 return rc; 359 360 kfree(ses->serverNOS); 361 362 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL); 363 if (ses->serverNOS) 364 strncpy(ses->serverNOS, bcc_ptr, len); 365 366 bcc_ptr += len + 1; 367 bleft -= len + 1; 368 369 len = strnlen(bcc_ptr, bleft); 370 if (len > bleft) 371 return rc; 372 373 /* No domain field in LANMAN case. Domain is 374 returned by old servers in the SMB negprot response */ 375 /* BB For newer servers which do not support Unicode, 376 but thus do return domain here we could add parsing 377 for it later, but it is not very important */ 378 cFYI(1, "ascii: bytes left %d", bleft); 379 380 return rc; 381} 382 383static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, 384 struct cifsSesInfo *ses) 385{ 386 unsigned int tioffset; /* challenge message target info area */ 387 unsigned int tilen; /* challenge message target info area length */ 388 389 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; 390 391 if (blob_len < sizeof(CHALLENGE_MESSAGE)) { 392 cERROR(1, "challenge blob len %d too small", blob_len); 393 return -EINVAL; 394 } 395 396 if (memcmp(pblob->Signature, "NTLMSSP", 8)) { 397 cERROR(1, "blob signature incorrect %s", pblob->Signature); 398 return -EINVAL; 399 } 400 if (pblob->MessageType != NtLmChallenge) { 401 cERROR(1, "Incorrect message type %d", pblob->MessageType); 402 return -EINVAL; 403 } 404 405 memcpy(ses->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); 406 /* BB we could decode pblob->NegotiateFlags; some may be useful */ 407 /* In particular we can examine sign flags */ 408 /* BB spec says that if AvId field of MsvAvTimestamp is populated then 409 we must set the MIC field of the AUTHENTICATE_MESSAGE */ 410 411 tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset); 412 tilen = cpu_to_le16(pblob->TargetInfoArray.Length); 413 ses->tilen = tilen; 414 if (ses->tilen) { 415 ses->tiblob = kmalloc(tilen, GFP_KERNEL); 416 if (!ses->tiblob) { 417 cERROR(1, "Challenge target info allocation failure"); 418 ses->tilen = 0; 419 return -ENOMEM; 420 } 421 memcpy(ses->tiblob, bcc_ptr + tioffset, ses->tilen); 422 } 423 424 return 0; 425} 426 427#ifdef CONFIG_CIFS_EXPERIMENTAL 428/* BB Move to ntlmssp.c eventually */ 429 430/* We do not malloc the blob, it is passed in pbuffer, because 431 it is fixed size, and small, making this approach cleaner */ 432static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, 433 struct cifsSesInfo *ses) 434{ 435 NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer; 436 __u32 flags; 437 438 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 439 sec_blob->MessageType = NtLmNegotiate; 440 441 /* BB is NTLMV2 session security format easier to use here? */ 442 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | 443 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 444 NTLMSSP_NEGOTIATE_NTLM; 445 if (ses->server->secMode & 446 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) 447 flags |= NTLMSSP_NEGOTIATE_SIGN; 448 if (ses->server->secMode & SECMODE_SIGN_REQUIRED) 449 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; 450 451 sec_blob->NegotiateFlags |= cpu_to_le32(flags); 452 453 sec_blob->WorkstationName.BufferOffset = 0; 454 sec_blob->WorkstationName.Length = 0; 455 sec_blob->WorkstationName.MaximumLength = 0; 456 457 /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */ 458 sec_blob->DomainName.BufferOffset = 0; 459 sec_blob->DomainName.Length = 0; 460 sec_blob->DomainName.MaximumLength = 0; 461} 462 463/* We do not malloc the blob, it is passed in pbuffer, because its 464 maximum possible size is fixed and small, making this approach cleaner. 465 This function returns the length of the data in the blob */ 466static int build_ntlmssp_auth_blob(unsigned char *pbuffer, 467 u16 *buflen, 468 struct cifsSesInfo *ses, 469 const struct nls_table *nls_cp) 470{ 471 int rc; 472 unsigned int size; 473 AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer; 474 __u32 flags; 475 unsigned char *tmp; 476 struct ntlmv2_resp ntlmv2_response = {}; 477 478 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); 479 sec_blob->MessageType = NtLmAuthenticate; 480 481 flags = NTLMSSP_NEGOTIATE_56 | 482 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO | 483 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | 484 NTLMSSP_NEGOTIATE_NTLM; 485 if (ses->server->secMode & 486 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) 487 flags |= NTLMSSP_NEGOTIATE_SIGN; 488 if (ses->server->secMode & SECMODE_SIGN_REQUIRED) 489 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; 490 491 tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE); 492 sec_blob->NegotiateFlags |= cpu_to_le32(flags); 493 494 sec_blob->LmChallengeResponse.BufferOffset = 495 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); 496 sec_blob->LmChallengeResponse.Length = 0; 497 sec_blob->LmChallengeResponse.MaximumLength = 0; 498 499 sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer); 500 rc = setup_ntlmv2_rsp(ses, (char *)&ntlmv2_response, nls_cp); 501 if (rc) { 502 cERROR(1, "Error %d during NTLMSSP authentication", rc); 503 goto setup_ntlmv2_ret; 504 } 505 size = sizeof(struct ntlmv2_resp); 506 memcpy(tmp, (char *)&ntlmv2_response, size); 507 tmp += size; 508 if (ses->tilen > 0) { 509 memcpy(tmp, ses->tiblob, ses->tilen); 510 tmp += ses->tilen; 511 } 512 513 sec_blob->NtChallengeResponse.Length = cpu_to_le16(size + ses->tilen); 514 sec_blob->NtChallengeResponse.MaximumLength = 515 cpu_to_le16(size + ses->tilen); 516 kfree(ses->tiblob); 517 ses->tiblob = NULL; 518 ses->tilen = 0; 519 520 if (ses->domainName == NULL) { 521 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); 522 sec_blob->DomainName.Length = 0; 523 sec_blob->DomainName.MaximumLength = 0; 524 tmp += 2; 525 } else { 526 int len; 527 len = cifs_strtoUCS((__le16 *)tmp, ses->domainName, 528 MAX_USERNAME_SIZE, nls_cp); 529 len *= 2; /* unicode is 2 bytes each */ 530 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); 531 sec_blob->DomainName.Length = cpu_to_le16(len); 532 sec_blob->DomainName.MaximumLength = cpu_to_le16(len); 533 tmp += len; 534 } 535 536 if (ses->userName == NULL) { 537 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer); 538 sec_blob->UserName.Length = 0; 539 sec_blob->UserName.MaximumLength = 0; 540 tmp += 2; 541 } else { 542 int len; 543 len = cifs_strtoUCS((__le16 *)tmp, ses->userName, 544 MAX_USERNAME_SIZE, nls_cp); 545 len *= 2; /* unicode is 2 bytes each */ 546 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer); 547 sec_blob->UserName.Length = cpu_to_le16(len); 548 sec_blob->UserName.MaximumLength = cpu_to_le16(len); 549 tmp += len; 550 } 551 552 sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer); 553 sec_blob->WorkstationName.Length = 0; 554 sec_blob->WorkstationName.MaximumLength = 0; 555 tmp += 2; 556 557 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer); 558 sec_blob->SessionKey.Length = 0; 559 sec_blob->SessionKey.MaximumLength = 0; 560 561setup_ntlmv2_ret: 562 *buflen = tmp - pbuffer; 563 return rc; 564} 565 566 567static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB, 568 struct cifsSesInfo *ses) 569{ 570 build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses); 571 pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE)); 572 573 return; 574} 575#endif 576 577int 578CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, 579 const struct nls_table *nls_cp) 580{ 581 int rc = 0; 582 int wct; 583 struct smb_hdr *smb_buf; 584 char *bcc_ptr; 585 char *str_area; 586 SESSION_SETUP_ANDX *pSMB; 587 __u32 capabilities; 588 int count; 589 int resp_buf_type; 590 struct kvec iov[3]; 591 enum securityEnum type; 592 __u16 action; 593 int bytes_remaining; 594 struct key *spnego_key = NULL; 595 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ 596 u16 blob_len; 597 char *ntlmsspblob = NULL; 598 599 if (ses == NULL) 600 return -EINVAL; 601 602 type = ses->server->secType; 603 604 cFYI(1, "sess setup type %d", type); 605ssetup_ntlmssp_authenticate: 606 if (phase == NtLmChallenge) 607 phase = NtLmAuthenticate; /* if ntlmssp, now final phase */ 608 609 if (type == LANMAN) { 610#ifndef CONFIG_CIFS_WEAK_PW_HASH 611 /* LANMAN and plaintext are less secure and off by default. 612 So we make this explicitly be turned on in kconfig (in the 613 build) and turned on at runtime (changed from the default) 614 in proc/fs/cifs or via mount parm. Unfortunately this is 615 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */ 616 return -EOPNOTSUPP; 617#endif 618 wct = 10; /* lanman 2 style sessionsetup */ 619 } else if ((type == NTLM) || (type == NTLMv2)) { 620 /* For NTLMv2 failures eventually may need to retry NTLM */ 621 wct = 13; /* old style NTLM sessionsetup */ 622 } else /* same size: negotiate or auth, NTLMSSP or extended security */ 623 wct = 12; 624 625 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, 626 (void **)&smb_buf); 627 if (rc) 628 return rc; 629 630 pSMB = (SESSION_SETUP_ANDX *)smb_buf; 631 632 capabilities = cifs_ssetup_hdr(ses, pSMB); 633 634 /* we will send the SMB in three pieces: 635 a fixed length beginning part, an optional 636 SPNEGO blob (which can be zero length), and a 637 last part which will include the strings 638 and rest of bcc area. This allows us to avoid 639 a large buffer 17K allocation */ 640 iov[0].iov_base = (char *)pSMB; 641 iov[0].iov_len = smb_buf->smb_buf_length + 4; 642 643 /* setting this here allows the code at the end of the function 644 to free the request buffer if there's an error */ 645 resp_buf_type = CIFS_SMALL_BUFFER; 646 647 /* 2000 big enough to fit max user, domain, NOS name etc. */ 648 str_area = kmalloc(2000, GFP_KERNEL); 649 if (str_area == NULL) { 650 rc = -ENOMEM; 651 goto ssetup_exit; 652 } 653 bcc_ptr = str_area; 654 655 ses->flags &= ~CIFS_SES_LANMAN; 656 657 iov[1].iov_base = NULL; 658 iov[1].iov_len = 0; 659 660 if (type == LANMAN) { 661#ifdef CONFIG_CIFS_WEAK_PW_HASH 662 char lnm_session_key[CIFS_SESS_KEY_SIZE]; 663 664 pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE; 665 666 /* no capabilities flags in old lanman negotiation */ 667 668 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE); 669 /* BB calculate hash with password */ 670 /* and copy into bcc */ 671 672 calc_lanman_hash(ses->password, ses->cryptKey, 673 ses->server->secMode & SECMODE_PW_ENCRYPT ? 674 true : false, lnm_session_key); 675 676 ses->flags |= CIFS_SES_LANMAN; 677 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE); 678 bcc_ptr += CIFS_SESS_KEY_SIZE; 679 680 /* can not sign if LANMAN negotiated so no need 681 to calculate signing key? but what if server 682 changed to do higher than lanman dialect and 683 we reconnected would we ever calc signing_key? */ 684 685 cFYI(1, "Negotiating LANMAN setting up strings"); 686 /* Unicode not allowed for LANMAN dialects */ 687 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); 688#endif 689 } else if (type == NTLM) { 690 char ntlm_session_key[CIFS_SESS_KEY_SIZE]; 691 692 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 693 pSMB->req_no_secext.CaseInsensitivePasswordLength = 694 cpu_to_le16(CIFS_SESS_KEY_SIZE); 695 pSMB->req_no_secext.CaseSensitivePasswordLength = 696 cpu_to_le16(CIFS_SESS_KEY_SIZE); 697 698 /* calculate session key */ 699 SMBNTencrypt(ses->password, ses->cryptKey, ntlm_session_key); 700 701 cifs_calculate_session_key(&ses->auth_key, 702 ntlm_session_key, ses->password); 703 /* copy session key */ 704 memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE); 705 bcc_ptr += CIFS_SESS_KEY_SIZE; 706 memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE); 707 bcc_ptr += CIFS_SESS_KEY_SIZE; 708 if (ses->capabilities & CAP_UNICODE) { 709 /* unicode strings must be word aligned */ 710 if (iov[0].iov_len % 2) { 711 *bcc_ptr = 0; 712 bcc_ptr++; 713 } 714 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); 715 } else 716 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); 717 } else if (type == NTLMv2) { 718 char *v2_sess_key = 719 kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL); 720 721 /* BB FIXME change all users of v2_sess_key to 722 struct ntlmv2_resp */ 723 724 if (v2_sess_key == NULL) { 725 rc = -ENOMEM; 726 goto ssetup_exit; 727 } 728 729 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); 730 731 /* LM2 password would be here if we supported it */ 732 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; 733 /* cpu_to_le16(LM2_SESS_KEY_SIZE); */ 734 735 /* calculate session key */ 736 rc = setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp); 737 if (rc) { 738 cERROR(1, "Error %d during NTLMv2 authentication", rc); 739 kfree(v2_sess_key); 740 goto ssetup_exit; 741 } 742 memcpy(bcc_ptr, (char *)v2_sess_key, 743 sizeof(struct ntlmv2_resp)); 744 bcc_ptr += sizeof(struct ntlmv2_resp); 745 kfree(v2_sess_key); 746 /* set case sensitive password length after tilen may get 747 * assigned, tilen is 0 otherwise. 748 */ 749 pSMB->req_no_secext.CaseSensitivePasswordLength = 750 cpu_to_le16(sizeof(struct ntlmv2_resp) + ses->tilen); 751 if (ses->tilen > 0) { 752 memcpy(bcc_ptr, ses->tiblob, ses->tilen); 753 bcc_ptr += ses->tilen; 754 /* we never did allocate ses->domainName to free */ 755 kfree(ses->tiblob); 756 ses->tiblob = NULL; 757 ses->tilen = 0; 758 } 759 760 if (ses->capabilities & CAP_UNICODE) { 761 if (iov[0].iov_len % 2) { 762 *bcc_ptr = 0; 763 bcc_ptr++; 764 } 765 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); 766 } else 767 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); 768 } else if (type == Kerberos) { 769#ifdef CONFIG_CIFS_UPCALL 770 struct cifs_spnego_msg *msg; 771 spnego_key = cifs_get_spnego_key(ses); 772 if (IS_ERR(spnego_key)) { 773 rc = PTR_ERR(spnego_key); 774 spnego_key = NULL; 775 goto ssetup_exit; 776 } 777 778 msg = spnego_key->payload.data; 779 /* check version field to make sure that cifs.upcall is 780 sending us a response in an expected form */ 781 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { 782 cERROR(1, "incorrect version of cifs.upcall (expected" 783 " %d but got %d)", 784 CIFS_SPNEGO_UPCALL_VERSION, msg->version); 785 rc = -EKEYREJECTED; 786 goto ssetup_exit; 787 } 788 /* bail out if key is too long */ 789 if (msg->sesskey_len > 790 sizeof(ses->auth_key.data.krb5)) { 791 cERROR(1, "Kerberos signing key too long (%u bytes)", 792 msg->sesskey_len); 793 rc = -EOVERFLOW; 794 goto ssetup_exit; 795 } 796 ses->auth_key.len = msg->sesskey_len; 797 memcpy(ses->auth_key.data.krb5, msg->data, msg->sesskey_len); 798 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 799 capabilities |= CAP_EXTENDED_SECURITY; 800 pSMB->req.Capabilities = cpu_to_le32(capabilities); 801 iov[1].iov_base = msg->data + msg->sesskey_len; 802 iov[1].iov_len = msg->secblob_len; 803 pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len); 804 805 if (ses->capabilities & CAP_UNICODE) { 806 /* unicode strings must be word aligned */ 807 if ((iov[0].iov_len + iov[1].iov_len) % 2) { 808 *bcc_ptr = 0; 809 bcc_ptr++; 810 } 811 unicode_oslm_strings(&bcc_ptr, nls_cp); 812 unicode_domain_string(&bcc_ptr, ses, nls_cp); 813 } else 814 /* BB: is this right? */ 815 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); 816#else /* ! CONFIG_CIFS_UPCALL */ 817 cERROR(1, "Kerberos negotiated but upcall support disabled!"); 818 rc = -ENOSYS; 819 goto ssetup_exit; 820#endif /* CONFIG_CIFS_UPCALL */ 821 } else { 822#ifdef CONFIG_CIFS_EXPERIMENTAL 823 if (type == RawNTLMSSP) { 824 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { 825 cERROR(1, "NTLMSSP requires Unicode support"); 826 rc = -ENOSYS; 827 goto ssetup_exit; 828 } 829 830 cFYI(1, "ntlmssp session setup phase %d", phase); 831 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; 832 capabilities |= CAP_EXTENDED_SECURITY; 833 pSMB->req.Capabilities |= cpu_to_le32(capabilities); 834 if (phase == NtLmNegotiate) { 835 setup_ntlmssp_neg_req(pSMB, ses); 836 iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE); 837 iov[1].iov_base = &pSMB->req.SecurityBlob[0]; 838 } else if (phase == NtLmAuthenticate) { 839 /* 5 is an empirical value, large enought to 840 * hold authenticate message, max 10 of 841 * av paris, doamin,user,workstation mames, 842 * flags etc.. 843 */ 844 ntlmsspblob = kmalloc( 845 5*sizeof(struct _AUTHENTICATE_MESSAGE), 846 GFP_KERNEL); 847 if (!ntlmsspblob) { 848 cERROR(1, "Can't allocate NTLMSSP"); 849 rc = -ENOMEM; 850 goto ssetup_exit; 851 } 852 853 rc = build_ntlmssp_auth_blob(ntlmsspblob, 854 &blob_len, ses, nls_cp); 855 if (rc) 856 goto ssetup_exit; 857 iov[1].iov_len = blob_len; 858 iov[1].iov_base = ntlmsspblob; 859 pSMB->req.SecurityBlobLength = 860 cpu_to_le16(blob_len); 861 /* Make sure that we tell the server that we 862 are using the uid that it just gave us back 863 on the response (challenge) */ 864 smb_buf->Uid = ses->Suid; 865 } else { 866 cERROR(1, "invalid phase %d", phase); 867 rc = -ENOSYS; 868 goto ssetup_exit; 869 } 870 /* unicode strings must be word aligned */ 871 if ((iov[0].iov_len + iov[1].iov_len) % 2) { 872 *bcc_ptr = 0; 873 bcc_ptr++; 874 } 875 unicode_oslm_strings(&bcc_ptr, nls_cp); 876 } else { 877 cERROR(1, "secType %d not supported!", type); 878 rc = -ENOSYS; 879 goto ssetup_exit; 880 } 881#else 882 cERROR(1, "secType %d not supported!", type); 883 rc = -ENOSYS; 884 goto ssetup_exit; 885#endif 886 } 887 888 iov[2].iov_base = str_area; 889 iov[2].iov_len = (long) bcc_ptr - (long) str_area; 890 891 count = iov[1].iov_len + iov[2].iov_len; 892 smb_buf->smb_buf_length += count; 893 894 BCC_LE(smb_buf) = cpu_to_le16(count); 895 896 rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type, 897 CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR); 898 /* SMB request buf freed in SendReceive2 */ 899 900 cFYI(1, "ssetup rc from sendrecv2 is %d", rc); 901 902 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base; 903 smb_buf = (struct smb_hdr *)iov[0].iov_base; 904 905 if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError == 906 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) { 907 if (phase != NtLmNegotiate) { 908 cERROR(1, "Unexpected more processing error"); 909 goto ssetup_exit; 910 } 911 /* NTLMSSP Negotiate sent now processing challenge (response) */ 912 phase = NtLmChallenge; /* process ntlmssp challenge */ 913 rc = 0; /* MORE_PROC rc is not an error here, but expected */ 914 } 915 if (rc) 916 goto ssetup_exit; 917 918 if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) { 919 rc = -EIO; 920 cERROR(1, "bad word count %d", smb_buf->WordCount); 921 goto ssetup_exit; 922 } 923 action = le16_to_cpu(pSMB->resp.Action); 924 if (action & GUEST_LOGIN) 925 cFYI(1, "Guest login"); /* BB mark SesInfo struct? */ 926 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ 927 cFYI(1, "UID = %d ", ses->Suid); 928 /* response can have either 3 or 4 word count - Samba sends 3 */ 929 /* and lanman response is 3 */ 930 bytes_remaining = BCC(smb_buf); 931 bcc_ptr = pByteArea(smb_buf); 932 933 if (smb_buf->WordCount == 4) { 934 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); 935 if (blob_len > bytes_remaining) { 936 cERROR(1, "bad security blob length %d", blob_len); 937 rc = -EINVAL; 938 goto ssetup_exit; 939 } 940 if (phase == NtLmChallenge) { 941 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); 942 /* now goto beginning for ntlmssp authenticate phase */ 943 if (rc) 944 goto ssetup_exit; 945 } 946 bcc_ptr += blob_len; 947 bytes_remaining -= blob_len; 948 } 949 950 /* BB check if Unicode and decode strings */ 951 if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 952 /* unicode string area must be word-aligned */ 953 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 954 ++bcc_ptr; 955 --bytes_remaining; 956 } 957 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp); 958 } else { 959 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, 960 ses, nls_cp); 961 } 962 963ssetup_exit: 964 if (spnego_key) { 965 key_revoke(spnego_key); 966 key_put(spnego_key); 967 } 968 kfree(str_area); 969 kfree(ntlmsspblob); 970 ntlmsspblob = NULL; 971 if (resp_buf_type == CIFS_SMALL_BUFFER) { 972 cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base); 973 cifs_small_buf_release(iov[0].iov_base); 974 } else if (resp_buf_type == CIFS_LARGE_BUFFER) 975 cifs_buf_release(iov[0].iov_base); 976 977 /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */ 978 if ((phase == NtLmChallenge) && (rc == 0)) 979 goto ssetup_ntlmssp_authenticate; 980 981 return rc; 982} 983