projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
cifs: fix cifs_show_options to show "username=" or "multiuser"
[linux-2.6-block.git] / fs / cifs / sess.c
CommitLineData
3979877e
SF		 1/*
2 * fs/cifs/sess.c
3 *
4 * SMB/CIFS session setup handling routines
5 *
d185cda7 6 * Copyright (c) International Business Machines Corp., 2006, 2009
3979877e
SF		 7 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24#include "cifspdu.h"
25#include "cifsglob.h"
26#include "cifsproto.h"
27#include "cifs_unicode.h"
28#include "cifs_debug.h"
29#include "ntlmssp.h"
30#include "nterr.h"
9c53588e 31#include <linux/utsname.h>
5a0e3ad6 32#include <linux/slab.h>
2442421b 33#include "cifs_spnego.h"
3979877e 34
3979877e 35extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
790fe579 36 unsigned char *p24);
3979877e 37
ebe6aa5a
JL		 38/*
39 * Checks if this is the first smb session to be reconnected after
40 * the socket has been reestablished (so we know whether to use vc 0).
41 * Called while holding the cifs_tcp_ses_lock, so do not block
42 */
eca6acf9
SF		 43static bool is_first_ses_reconnect(struct cifsSesInfo *ses)
44{
45 struct list_head *tmp;
46 struct cifsSesInfo *tmp_ses;
47
48 list_for_each(tmp, &ses->server->smb_ses_list) {
49 tmp_ses = list_entry(tmp, struct cifsSesInfo,
50 smb_ses_list);
51 if (tmp_ses->need_reconnect == false)
52 return false;
53 }
54 /* could not find a session that was already connected,
55 this must be the first one we are reconnecting */
56 return true;
57}
58
59/*
60 * vc number 0 is treated specially by some servers, and should be the
61 * first one we request. After that we can use vcnumbers up to maxvcs,
62 * one for each smb session (some Windows versions set maxvcs incorrectly
63 * so maxvc=1 can be ignored). If we have too many vcs, we can reuse
64 * any vc but zero (some servers reset the connection on vcnum zero)
65 *
66 */
67static __le16 get_next_vcnum(struct cifsSesInfo *ses)
68{
69 __u16 vcnum = 0;
70 struct list_head *tmp;
71 struct cifsSesInfo *tmp_ses;
72 __u16 max_vcs = ses->server->max_vcs;
73 __u16 i;
74 int free_vc_found = 0;
75
76 /* Quoting the MS-SMB specification: "Windows-based SMB servers set this
77 field to one but do not enforce this limit, which allows an SMB client
78 to establish more virtual circuits than allowed by this value ... but
79 other server implementations can enforce this limit." */
80 if (max_vcs < 2)
81 max_vcs = 0xFFFF;
82
83 write_lock(&cifs_tcp_ses_lock);
84 if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
85 goto get_vc_num_exit; /* vcnum will be zero */
86 for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
87 if (i == 0) /* this is the only connection, use vc 0 */
88 break;
89
90 free_vc_found = 1;
91
92 list_for_each(tmp, &ses->server->smb_ses_list) {
93 tmp_ses = list_entry(tmp, struct cifsSesInfo,
94 smb_ses_list);
95 if (tmp_ses->vcnum == i) {
96 free_vc_found = 0;
97 break; /* found duplicate, try next vcnum */
98 }
99 }
100 if (free_vc_found)
101 break; /* we found a vcnumber that will work - use it */
102 }
103
104 if (i == 0)
105 vcnum = 0; /* for most common case, ie if one smb session, use
106 vc zero. Also for case when no free vcnum, zero
107 is safest to send (some clients only send zero) */
108 else if (free_vc_found == 0)
109 vcnum = 1; /* we can not reuse vc=0 safely, since some servers
110 reset all uids on that, but 1 is ok. */
111 else
112 vcnum = i;
113 ses->vcnum = vcnum;
114get_vc_num_exit:
115 write_unlock(&cifs_tcp_ses_lock);
116
051a2a0d 117 return cpu_to_le16(vcnum);
eca6acf9
SF		 118}
119
3979877e
SF		 120static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
121{
122 __u32 capabilities = 0;
123
124 /* init fields common to all four types of SessSetup */
eca6acf9
SF		 125 /* Note that offsets for first seven fields in req struct are same */
126 /* in CIFS Specs so does not matter which of 3 forms of struct */
127 /* that we use in next few lines */
128 /* Note that header is initialized to zero in header_assemble */
3979877e
SF		 129 pSMB->req.AndXCommand = 0xFF;
130 pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
131 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
eca6acf9 132 pSMB->req.VcNumber = get_next_vcnum(ses);
3979877e
SF		 133
134 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
135
790fe579 136 /* BB verify whether signing required on neg or just on auth frame
3979877e
SF		 137 (and NTLM case) */
138
139 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
140 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
141
790fe579
SF		 142 if (ses->server->secMode &
143 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
3979877e
SF		 144 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
145
146 if (ses->capabilities & CAP_UNICODE) {
147 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
148 capabilities |= CAP_UNICODE;
149 }
150 if (ses->capabilities & CAP_STATUS32) {
151 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
152 capabilities |= CAP_STATUS32;
153 }
154 if (ses->capabilities & CAP_DFS) {
155 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
156 capabilities |= CAP_DFS;
157 }
26f57364 158 if (ses->capabilities & CAP_UNIX)
3979877e 159 capabilities |= CAP_UNIX;
3979877e 160
3979877e
SF		 161 return capabilities;
162}
163
0d3a01fa
JL		 164static void
165unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
166{
167 char *bcc_ptr = *pbcc_area;
168 int bytes_ret = 0;
169
170 /* Copy OS version */
171 bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
172 nls_cp);
173 bcc_ptr += 2 * bytes_ret;
174 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
175 32, nls_cp);
176 bcc_ptr += 2 * bytes_ret;
177 bcc_ptr += 2; /* trailing null */
178
179 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
180 32, nls_cp);
181 bcc_ptr += 2 * bytes_ret;
182 bcc_ptr += 2; /* trailing null */
183
184 *pbcc_area = bcc_ptr;
185}
186
187static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
188 const struct nls_table *nls_cp)
189{
190 char *bcc_ptr = *pbcc_area;
191 int bytes_ret = 0;
192
193 /* copy domain */
194 if (ses->domainName == NULL) {
195 /* Sending null domain better than using a bogus domain name (as
196 we did briefly in 2.6.18) since server will use its default */
197 *bcc_ptr = 0;
198 *(bcc_ptr+1) = 0;
199 bytes_ret = 0;
200 } else
201 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
202 256, nls_cp);
203 bcc_ptr += 2 * bytes_ret;
204 bcc_ptr += 2; /* account for null terminator */
205
206 *pbcc_area = bcc_ptr;
207}
208
209
3870253e 210static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
790fe579 211 const struct nls_table *nls_cp)
3979877e 212{
790fe579 213 char *bcc_ptr = *pbcc_area;
3979877e
SF		 214 int bytes_ret = 0;
215
216 /* BB FIXME add check that strings total less
217 than 335 or will need to send them as arrays */
218
0223cf0b
SF		 219 /* unicode strings, must be word aligned before the call */
220/* if ((long) bcc_ptr % 2) {
3979877e
SF		 221 *bcc_ptr = 0;
222 bcc_ptr++;
0223cf0b 223 } */
3979877e 224 /* copy user */
790fe579 225 if (ses->userName == NULL) {
6e659c63
SF		 226 /* null user mount */
227 *bcc_ptr = 0;
228 *(bcc_ptr+1) = 0;
301a6a31 229 } else {
3979877e 230 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
301a6a31 231 MAX_USERNAME_SIZE, nls_cp);
3979877e
SF		 232 }
233 bcc_ptr += 2 * bytes_ret;
234 bcc_ptr += 2; /* account for null termination */
3979877e 235
0d3a01fa
JL		 236 unicode_domain_string(&bcc_ptr, ses, nls_cp);
237 unicode_oslm_strings(&bcc_ptr, nls_cp);
3979877e
SF		 238
239 *pbcc_area = bcc_ptr;
240}
241
3870253e 242static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
790fe579 243 const struct nls_table *nls_cp)
3979877e 244{
790fe579 245 char *bcc_ptr = *pbcc_area;
3979877e
SF		 246
247 /* copy user */
248 /* BB what about null user mounts - check that we do this BB */
790fe579
SF		 249 /* copy user */
250 if (ses->userName == NULL) {
251 /* BB what about null user mounts - check that we do this BB */
301a6a31
SF		 252 } else {
253 strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
790fe579 254 }
301a6a31 255 bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
3979877e 256 *bcc_ptr = 0;
790fe579 257 bcc_ptr++; /* account for null termination */
3979877e 258
790fe579
SF		 259 /* copy domain */
260
261 if (ses->domainName != NULL) {
262 strncpy(bcc_ptr, ses->domainName, 256);
3979877e 263 bcc_ptr += strnlen(ses->domainName, 256);
790fe579 264 } /* else we will send a null domain name
6e659c63 265 so the server will default to its own domain */
3979877e
SF		 266 *bcc_ptr = 0;
267 bcc_ptr++;
268
269 /* BB check for overflow here */
270
271 strcpy(bcc_ptr, "Linux version ");
272 bcc_ptr += strlen("Linux version ");
96b644bd
SH		 273 strcpy(bcc_ptr, init_utsname()->release);
274 bcc_ptr += strlen(init_utsname()->release) + 1;
3979877e
SF		 275
276 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
277 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
278
790fe579 279 *pbcc_area = bcc_ptr;
3979877e
SF		 280}
281
59140797
JL		 282static void
283decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
284 const struct nls_table *nls_cp)
3979877e 285{
59140797 286 int len;
790fe579 287 char *data = *pbcc_area;
3979877e 288
b6b38f70 289 cFYI(1, "bleft %d", bleft);
3979877e 290
27b87fe5
JL		 291 /*
292 * Windows servers do not always double null terminate their final
293 * Unicode string. Check to see if there are an uneven number of bytes
294 * left. If so, then add an extra NULL pad byte to the end of the
295 * response.
296 *
297 * See section 2.7.2 in "Implementing CIFS" for details
298 */
299 if (bleft % 2) {
300 data[bleft] = 0;
301 ++bleft;
302 }
50c2f753 303
26f57364 304 kfree(ses->serverOS);
d185cda7 305 ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 306 cFYI(1, "serverOS=%s", ses->serverOS);
59140797
JL		 307 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
308 data += len;
309 bleft -= len;
310 if (bleft <= 0)
311 return;
3979877e 312
26f57364 313 kfree(ses->serverNOS);
d185cda7 314 ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 315 cFYI(1, "serverNOS=%s", ses->serverNOS);
59140797
JL		 316 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
317 data += len;
318 bleft -= len;
319 if (bleft <= 0)
320 return;
790fe579 321
26f57364 322 kfree(ses->serverDomain);
d185cda7 323 ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 324 cFYI(1, "serverDomain=%s", ses->serverDomain);
790fe579 325
59140797 326 return;
3979877e
SF		 327}
328
790fe579
SF		 329static int decode_ascii_ssetup(char **pbcc_area, int bleft,
330 struct cifsSesInfo *ses,
331 const struct nls_table *nls_cp)
3979877e
SF		 332{
333 int rc = 0;
334 int len;
790fe579 335 char *bcc_ptr = *pbcc_area;
3979877e 336
b6b38f70 337 cFYI(1, "decode sessetup ascii. bleft %d", bleft);
50c2f753 338
3979877e 339 len = strnlen(bcc_ptr, bleft);
790fe579 340 if (len >= bleft)
3979877e 341 return rc;
50c2f753 342
26f57364 343 kfree(ses->serverOS);
3979877e
SF		 344
345 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
790fe579 346 if (ses->serverOS)
3979877e 347 strncpy(ses->serverOS, bcc_ptr, len);
790fe579 348 if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
b6b38f70 349 cFYI(1, "OS/2 server");
9ac00b7d
SF		 350 ses->flags |= CIFS_SES_OS2;
351 }
3979877e
SF		 352
353 bcc_ptr += len + 1;
354 bleft -= len + 1;
355
356 len = strnlen(bcc_ptr, bleft);
790fe579 357 if (len >= bleft)
3979877e
SF		 358 return rc;
359
26f57364 360 kfree(ses->serverNOS);
3979877e
SF		 361
362 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
790fe579 363 if (ses->serverNOS)
3979877e
SF		 364 strncpy(ses->serverNOS, bcc_ptr, len);
365
366 bcc_ptr += len + 1;
367 bleft -= len + 1;
368
790fe579
SF		 369 len = strnlen(bcc_ptr, bleft);
370 if (len > bleft)
371 return rc;
3979877e 372
9ac00b7d
SF		 373 /* No domain field in LANMAN case. Domain is
374 returned by old servers in the SMB negprot response */
375 /* BB For newer servers which do not support Unicode,
376 but thus do return domain here we could add parsing
377 for it later, but it is not very important */
b6b38f70 378 cFYI(1, "ascii: bytes left %d", bleft);
3979877e
SF		 379
380 return rc;
381}
382
0b3cc858
SF		 383static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
384 struct cifsSesInfo *ses)
385{
2b149f11
SP		 386 unsigned int tioffset; /* challenge message target info area */
387 unsigned int tilen; /* challenge message target info area length */
388
0b3cc858
SF		 389 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
390
391 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
b6b38f70 392 cERROR(1, "challenge blob len %d too small", blob_len);
0b3cc858
SF		 393 return -EINVAL;
394 }
395
396 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
b6b38f70 397 cERROR(1, "blob signature incorrect %s", pblob->Signature);
0b3cc858
SF		 398 return -EINVAL;
399 }
400 if (pblob->MessageType != NtLmChallenge) {
b6b38f70 401 cERROR(1, "Incorrect message type %d", pblob->MessageType);
0b3cc858
SF		 402 return -EINVAL;
403 }
404
405 memcpy(ses->server->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
406 /* BB we could decode pblob->NegotiateFlags; some may be useful */
407 /* In particular we can examine sign flags */
408 /* BB spec says that if AvId field of MsvAvTimestamp is populated then
409 we must set the MIC field of the AUTHENTICATE_MESSAGE */
410
2b149f11
SP		 411 tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
412 tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
413 ses->tilen = tilen;
414 if (ses->tilen) {
415 ses->tiblob = kmalloc(tilen, GFP_KERNEL);
416 if (!ses->tiblob) {
417 cERROR(1, "Challenge target info allocation failure");
418 ses->tilen = 0;
419 return -ENOMEM;
420 }
421 memcpy(ses->tiblob, bcc_ptr + tioffset, ses->tilen);
422 }
423
0b3cc858
SF		 424 return 0;
425}
426
427#ifdef CONFIG_CIFS_EXPERIMENTAL
428/* BB Move to ntlmssp.c eventually */
429
430/* We do not malloc the blob, it is passed in pbuffer, because
431 it is fixed size, and small, making this approach cleaner */
432static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
433 struct cifsSesInfo *ses)
434{
435 NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
436 __u32 flags;
437
438 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
439 sec_blob->MessageType = NtLmNegotiate;
440
441 /* BB is NTLMV2 session security format easier to use here? */
442 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
443 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
2b149f11 444 NTLMSSP_NEGOTIATE_NTLM;
0b3cc858 445 if (ses->server->secMode &
745e507a
SF		 446 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
447 flags |= NTLMSSP_NEGOTIATE_SIGN;
448 if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
449 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
0b3cc858
SF		 450
451 sec_blob->NegotiateFlags |= cpu_to_le32(flags);
452
453 sec_blob->WorkstationName.BufferOffset = 0;
454 sec_blob->WorkstationName.Length = 0;
455 sec_blob->WorkstationName.MaximumLength = 0;
456
457 /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
458 sec_blob->DomainName.BufferOffset = 0;
459 sec_blob->DomainName.Length = 0;
460 sec_blob->DomainName.MaximumLength = 0;
461}
462
463/* We do not malloc the blob, it is passed in pbuffer, because its
464 maximum possible size is fixed and small, making this approach cleaner.
465 This function returns the length of the data in the blob */
466static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
467 struct cifsSesInfo *ses,
2b149f11 468 const struct nls_table *nls_cp)
0b3cc858 469{
2b149f11
SP		 470 int rc;
471 unsigned int size;
0b3cc858
SF		 472 AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
473 __u32 flags;
474 unsigned char *tmp;
2b149f11 475 struct ntlmv2_resp ntlmv2_response = {};
0b3cc858
SF		 476
477 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
478 sec_blob->MessageType = NtLmAuthenticate;
479
480 flags = NTLMSSP_NEGOTIATE_56 |
481 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
482 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
2b149f11 483 NTLMSSP_NEGOTIATE_NTLM;
0b3cc858
SF		 484 if (ses->server->secMode &
485 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
486 flags |= NTLMSSP_NEGOTIATE_SIGN;
487 if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
488 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
489
490 tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
491 sec_blob->NegotiateFlags |= cpu_to_le32(flags);
492
493 sec_blob->LmChallengeResponse.BufferOffset =
494 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
495 sec_blob->LmChallengeResponse.Length = 0;
496 sec_blob->LmChallengeResponse.MaximumLength = 0;
497
c8e56f1f 498 sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
2b149f11
SP		 499 rc = setup_ntlmv2_rsp(ses, (char *)&ntlmv2_response, nls_cp);
500 if (rc) {
501 cERROR(1, "Error %d during NTLMSSP authentication", rc);
502 goto setup_ntlmv2_ret;
503 }
504 size = sizeof(struct ntlmv2_resp);
505 memcpy(tmp, (char *)&ntlmv2_response, size);
506 tmp += size;
507 if (ses->tilen > 0) {
508 memcpy(tmp, ses->tiblob, ses->tilen);
509 tmp += ses->tilen;
510 }
c8e56f1f 511
2b149f11
SP		 512 sec_blob->NtChallengeResponse.Length = cpu_to_le16(size + ses->tilen);
513 sec_blob->NtChallengeResponse.MaximumLength =
514 cpu_to_le16(size + ses->tilen);
515 kfree(ses->tiblob);
516 ses->tiblob = NULL;
517 ses->tilen = 0;
0b3cc858
SF		 518
519 if (ses->domainName == NULL) {
520 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
521 sec_blob->DomainName.Length = 0;
522 sec_blob->DomainName.MaximumLength = 0;
523 tmp += 2;
524 } else {
525 int len;
526 len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
527 MAX_USERNAME_SIZE, nls_cp);
528 len *= 2; /* unicode is 2 bytes each */
0b3cc858
SF		 529 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
530 sec_blob->DomainName.Length = cpu_to_le16(len);
531 sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
532 tmp += len;
533 }
534
535 if (ses->userName == NULL) {
536 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
537 sec_blob->UserName.Length = 0;
538 sec_blob->UserName.MaximumLength = 0;
539 tmp += 2;
540 } else {
541 int len;
542 len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
543 MAX_USERNAME_SIZE, nls_cp);
544 len *= 2; /* unicode is 2 bytes each */
0b3cc858
SF		 545 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
546 sec_blob->UserName.Length = cpu_to_le16(len);
547 sec_blob->UserName.MaximumLength = cpu_to_le16(len);
548 tmp += len;
549 }
550
551 sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
552 sec_blob->WorkstationName.Length = 0;
553 sec_blob->WorkstationName.MaximumLength = 0;
554 tmp += 2;
555
c8e56f1f
SF		 556 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
557 sec_blob->SessionKey.Length = 0;
558 sec_blob->SessionKey.MaximumLength = 0;
2b149f11
SP		 559
560setup_ntlmv2_ret:
0b3cc858
SF		 561 return tmp - pbuffer;
562}
563
564
565static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
566 struct cifsSesInfo *ses)
567{
568 build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
569 pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
570
571 return;
572}
0b3cc858
SF		 573#endif
574
790fe579 575int
ebe6aa5a
JL		 576CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
577 const struct nls_table *nls_cp)
3979877e
SF		 578{
579 int rc = 0;
580 int wct;
3979877e
SF		 581 struct smb_hdr *smb_buf;
582 char *bcc_ptr;
750d1151 583 char *str_area;
3979877e
SF		 584 SESSION_SETUP_ANDX *pSMB;
585 __u32 capabilities;
586 int count;
2442421b
SF		 587 int resp_buf_type;
588 struct kvec iov[3];
3979877e
SF		 589 enum securityEnum type;
590 __u16 action;
591 int bytes_remaining;
2442421b 592 struct key *spnego_key = NULL;
0b3cc858 593 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
ebe6aa5a 594 bool first_time;
2b149f11
SP		 595 int blob_len;
596 char *ntlmsspblob = NULL;
254e55ed 597
790fe579 598 if (ses == NULL)
3979877e
SF		 599 return -EINVAL;
600
ebe6aa5a
JL		 601 read_lock(&cifs_tcp_ses_lock);
602 first_time = is_first_ses_reconnect(ses);
603 read_unlock(&cifs_tcp_ses_lock);
604
3979877e 605 type = ses->server->secType;
f40c5628 606
b6b38f70 607 cFYI(1, "sess setup type %d", type);
0b3cc858
SF		 608ssetup_ntlmssp_authenticate:
609 if (phase == NtLmChallenge)
610 phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
611
790fe579 612 if (type == LANMAN) {
3979877e
SF		 613#ifndef CONFIG_CIFS_WEAK_PW_HASH
614 /* LANMAN and plaintext are less secure and off by default.
615 So we make this explicitly be turned on in kconfig (in the
616 build) and turned on at runtime (changed from the default)
617 in proc/fs/cifs or via mount parm. Unfortunately this is
618 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
619 return -EOPNOTSUPP;
620#endif
621 wct = 10; /* lanman 2 style sessionsetup */
790fe579 622 } else if ((type == NTLM) || (type == NTLMv2)) {
9312f675 623 /* For NTLMv2 failures eventually may need to retry NTLM */
3979877e 624 wct = 13; /* old style NTLM sessionsetup */
790fe579 625 } else /* same size: negotiate or auth, NTLMSSP or extended security */
3979877e
SF		 626 wct = 12;
627
628 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
629 (void **)&smb_buf);
790fe579 630 if (rc)
3979877e
SF		 631 return rc;
632
633 pSMB = (SESSION_SETUP_ANDX *)smb_buf;
634
635 capabilities = cifs_ssetup_hdr(ses, pSMB);
750d1151 636
2442421b
SF		 637 /* we will send the SMB in three pieces:
638 a fixed length beginning part, an optional
639 SPNEGO blob (which can be zero length), and a
640 last part which will include the strings
641 and rest of bcc area. This allows us to avoid
642 a large buffer 17K allocation */
790fe579
SF		 643 iov[0].iov_base = (char *)pSMB;
644 iov[0].iov_len = smb_buf->smb_buf_length + 4;
750d1151 645
2442421b
SF		 646 /* setting this here allows the code at the end of the function
647 to free the request buffer if there's an error */
648 resp_buf_type = CIFS_SMALL_BUFFER;
649
750d1151
SF		 650 /* 2000 big enough to fit max user, domain, NOS name etc. */
651 str_area = kmalloc(2000, GFP_KERNEL);
5e6e6232 652 if (str_area == NULL) {
2442421b
SF		 653 rc = -ENOMEM;
654 goto ssetup_exit;
5e6e6232 655 }
750d1151 656 bcc_ptr = str_area;
3979877e 657
9ac00b7d
SF		 658 ses->flags &= ~CIFS_SES_LANMAN;
659
2442421b
SF		 660 iov[1].iov_base = NULL;
661 iov[1].iov_len = 0;
662
790fe579 663 if (type == LANMAN) {
3979877e 664#ifdef CONFIG_CIFS_WEAK_PW_HASH
7c7b25bc 665 char lnm_session_key[CIFS_SESS_KEY_SIZE];
3979877e 666
c76da9da
SF		 667 pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
668
3979877e
SF		 669 /* no capabilities flags in old lanman negotiation */
670
790fe579 671 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e
SF		 672 /* BB calculate hash with password */
673 /* and copy into bcc */
674
4e53a3fb
JL		 675 calc_lanman_hash(ses->password, ses->server->cryptKey,
676 ses->server->secMode & SECMODE_PW_ENCRYPT ?
677 true : false, lnm_session_key);
678
790fe579 679 ses->flags |= CIFS_SES_LANMAN;
7c7b25bc
SF		 680 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
681 bcc_ptr += CIFS_SESS_KEY_SIZE;
3979877e
SF		 682
683 /* can not sign if LANMAN negotiated so no need
684 to calculate signing key? but what if server
685 changed to do higher than lanman dialect and
686 we reconnected would we ever calc signing_key? */
687
b6b38f70 688 cFYI(1, "Negotiating LANMAN setting up strings");
3979877e
SF		 689 /* Unicode not allowed for LANMAN dialects */
690 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
790fe579 691#endif
3979877e 692 } else if (type == NTLM) {
7c7b25bc 693 char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3979877e
SF		 694
695 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
696 pSMB->req_no_secext.CaseInsensitivePasswordLength =
7c7b25bc 697 cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e 698 pSMB->req_no_secext.CaseSensitivePasswordLength =
7c7b25bc 699 cpu_to_le16(CIFS_SESS_KEY_SIZE);
50c2f753 700
3979877e
SF		 701 /* calculate session key */
702 SMBNTencrypt(ses->password, ses->server->cryptKey,
703 ntlm_session_key);
704
790fe579 705 if (first_time) /* should this be moved into common code
3979877e 706 with similar ntlmv2 path? */
5f98ca9a 707 cifs_calculate_session_key(&ses->server->session_key,
3979877e
SF		 708 ntlm_session_key, ses->password);
709 /* copy session key */
710
790fe579 711 memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc 712 bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579 713 memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc 714 bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579 715 if (ses->capabilities & CAP_UNICODE) {
0223cf0b
SF		 716 /* unicode strings must be word aligned */
717 if (iov[0].iov_len % 2) {
718 *bcc_ptr = 0;
790fe579
SF		 719 bcc_ptr++;
720 }
7c7b25bc 721 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b 722 } else
7c7b25bc
SF		 723 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
724 } else if (type == NTLMv2) {
790fe579 725 char *v2_sess_key =
6d027cfd 726 kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
f64b23ae
SF		 727
728 /* BB FIXME change all users of v2_sess_key to
729 struct ntlmv2_resp */
7c7b25bc 730
790fe579 731 if (v2_sess_key == NULL) {
2442421b
SF		 732 rc = -ENOMEM;
733 goto ssetup_exit;
7c7b25bc
SF		 734 }
735
736 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
737
738 /* LM2 password would be here if we supported it */
739 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
740 /* cpu_to_le16(LM2_SESS_KEY_SIZE); */
741
742 pSMB->req_no_secext.CaseSensitivePasswordLength =
f64b23ae 743 cpu_to_le16(sizeof(struct ntlmv2_resp));
7c7b25bc
SF		 744
745 /* calculate session key */
2b149f11
SP		 746 rc = setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
747 if (rc) {
748 cERROR(1, "Error %d during NTLMv2 authentication", rc);
749 kfree(v2_sess_key);
750 goto ssetup_exit;
751 }
3870253e 752 memcpy(bcc_ptr, (char *)v2_sess_key,
2b149f11 753 sizeof(struct ntlmv2_resp));
f64b23ae
SF		 754 bcc_ptr += sizeof(struct ntlmv2_resp);
755 kfree(v2_sess_key);
2b149f11
SP		 756 if (ses->tilen > 0) {
757 memcpy(bcc_ptr, ses->tiblob, ses->tilen);
758 bcc_ptr += ses->tilen;
759 /* we never did allocate ses->domainName to free */
760 kfree(ses->tiblob);
761 ses->tiblob = NULL;
762 ses->tilen = 0;
763 }
790fe579
SF		 764 if (ses->capabilities & CAP_UNICODE) {
765 if (iov[0].iov_len % 2) {
0223cf0b 766 *bcc_ptr = 0;
26f57364
SF		 767 bcc_ptr++;
768 }
3979877e 769 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b 770 } else
3979877e 771 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
26efa0ba 772 } else if (type == Kerberos) {
2442421b
SF		 773#ifdef CONFIG_CIFS_UPCALL
774 struct cifs_spnego_msg *msg;
775 spnego_key = cifs_get_spnego_key(ses);
776 if (IS_ERR(spnego_key)) {
777 rc = PTR_ERR(spnego_key);
778 spnego_key = NULL;
779 goto ssetup_exit;
780 }
781
782 msg = spnego_key->payload.data;
6ce5eecb
SF		 783 /* check version field to make sure that cifs.upcall is
784 sending us a response in an expected form */
785 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
b6b38f70 786 cERROR(1, "incorrect version of cifs.upcall (expected"
6ce5eecb 787 " %d but got %d)",
b6b38f70 788 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
6ce5eecb
SF		 789 rc = -EKEYREJECTED;
790 goto ssetup_exit;
791 }
2442421b
SF		 792 /* bail out if key is too long */
793 if (msg->sesskey_len >
5f98ca9a 794 sizeof(ses->server->session_key.data.krb5)) {
b6b38f70
JP		 795 cERROR(1, "Kerberos signing key too long (%u bytes)",
796 msg->sesskey_len);
2442421b
SF		 797 rc = -EOVERFLOW;
798 goto ssetup_exit;
799 }
1a67570c 800 if (first_time) {
5f98ca9a
SP		 801 ses->server->session_key.len = msg->sesskey_len;
802 memcpy(ses->server->session_key.data.krb5,
1a67570c
JL		 803 msg->data, msg->sesskey_len);
804 }
3979877e
SF		 805 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
806 capabilities |= CAP_EXTENDED_SECURITY;
807 pSMB->req.Capabilities = cpu_to_le32(capabilities);
2442421b
SF		 808 iov[1].iov_base = msg->data + msg->sesskey_len;
809 iov[1].iov_len = msg->secblob_len;
810 pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
811
812 if (ses->capabilities & CAP_UNICODE) {
813 /* unicode strings must be word aligned */
28c5a02a 814 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
2442421b
SF		 815 *bcc_ptr = 0;
816 bcc_ptr++;
817 }
818 unicode_oslm_strings(&bcc_ptr, nls_cp);
819 unicode_domain_string(&bcc_ptr, ses, nls_cp);
820 } else
821 /* BB: is this right? */
822 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
823#else /* ! CONFIG_CIFS_UPCALL */
b6b38f70 824 cERROR(1, "Kerberos negotiated but upcall support disabled!");
2442421b
SF		 825 rc = -ENOSYS;
826 goto ssetup_exit;
827#endif /* CONFIG_CIFS_UPCALL */
828 } else {
0b3cc858 829#ifdef CONFIG_CIFS_EXPERIMENTAL
f46c7234 830 if (type == RawNTLMSSP) {
0b3cc858 831 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
b6b38f70 832 cERROR(1, "NTLMSSP requires Unicode support");
0b3cc858
SF		 833 rc = -ENOSYS;
834 goto ssetup_exit;
835 }
836
b6b38f70 837 cFYI(1, "ntlmssp session setup phase %d", phase);
0b3cc858
SF		 838 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
839 capabilities |= CAP_EXTENDED_SECURITY;
840 pSMB->req.Capabilities |= cpu_to_le32(capabilities);
841 if (phase == NtLmNegotiate) {
842 setup_ntlmssp_neg_req(pSMB, ses);
843 iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
2b149f11 844 iov[1].iov_base = &pSMB->req.SecurityBlob[0];
0b3cc858 845 } else if (phase == NtLmAuthenticate) {
2b149f11
SP		 846 /* 5 is an empirical value, large enought to
847 * hold authenticate message, max 10 of
848 * av paris, doamin,user,workstation mames,
849 * flags etc..
850 */
851 ntlmsspblob = kmalloc(
852 5*sizeof(struct _AUTHENTICATE_MESSAGE),
853 GFP_KERNEL);
854 if (!ntlmsspblob) {
855 cERROR(1, "Can't allocate NTLMSSP");
856 rc = -ENOMEM;
857 goto ssetup_exit;
858 }
859
860 blob_len = build_ntlmssp_auth_blob(ntlmsspblob,
861 ses, nls_cp);
0b3cc858 862 iov[1].iov_len = blob_len;
2b149f11
SP		 863 iov[1].iov_base = ntlmsspblob;
864 pSMB->req.SecurityBlobLength =
865 cpu_to_le16(blob_len);
844823cb
SF		 866 /* Make sure that we tell the server that we
867 are using the uid that it just gave us back
868 on the response (challenge) */
869 smb_buf->Uid = ses->Suid;
0b3cc858 870 } else {
b6b38f70 871 cERROR(1, "invalid phase %d", phase);
0b3cc858
SF		 872 rc = -ENOSYS;
873 goto ssetup_exit;
874 }
0b3cc858
SF		 875 /* unicode strings must be word aligned */
876 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
877 *bcc_ptr = 0;
878 bcc_ptr++;
879 }
880 unicode_oslm_strings(&bcc_ptr, nls_cp);
881 } else {
b6b38f70 882 cERROR(1, "secType %d not supported!", type);
0b3cc858
SF		 883 rc = -ENOSYS;
884 goto ssetup_exit;
885 }
886#else
b6b38f70 887 cERROR(1, "secType %d not supported!", type);
2442421b
SF		 888 rc = -ENOSYS;
889 goto ssetup_exit;
0b3cc858 890#endif
3979877e
SF		 891 }
892
2442421b
SF		 893 iov[2].iov_base = str_area;
894 iov[2].iov_len = (long) bcc_ptr - (long) str_area;
895
896 count = iov[1].iov_len + iov[2].iov_len;
3979877e
SF		 897 smb_buf->smb_buf_length += count;
898
3979877e
SF		 899 BCC_LE(smb_buf) = cpu_to_le16(count);
900
2442421b 901 rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
133672ef 902 CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
3979877e
SF		 903 /* SMB request buf freed in SendReceive2 */
904
b6b38f70 905 cFYI(1, "ssetup rc from sendrecv2 is %d", rc);
3979877e
SF		 906
907 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
908 smb_buf = (struct smb_hdr *)iov[0].iov_base;
909
0b3cc858
SF		 910 if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
911 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
912 if (phase != NtLmNegotiate) {
b6b38f70 913 cERROR(1, "Unexpected more processing error");
0b3cc858
SF		 914 goto ssetup_exit;
915 }
916 /* NTLMSSP Negotiate sent now processing challenge (response) */
917 phase = NtLmChallenge; /* process ntlmssp challenge */
918 rc = 0; /* MORE_PROC rc is not an error here, but expected */
919 }
920 if (rc)
921 goto ssetup_exit;
922
790fe579 923 if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
3979877e 924 rc = -EIO;
b6b38f70 925 cERROR(1, "bad word count %d", smb_buf->WordCount);
3979877e
SF		 926 goto ssetup_exit;
927 }
928 action = le16_to_cpu(pSMB->resp.Action);
929 if (action & GUEST_LOGIN)
b6b38f70 930 cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
3979877e 931 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
b6b38f70 932 cFYI(1, "UID = %d ", ses->Suid);
3979877e
SF		 933 /* response can have either 3 or 4 word count - Samba sends 3 */
934 /* and lanman response is 3 */
935 bytes_remaining = BCC(smb_buf);
936 bcc_ptr = pByteArea(smb_buf);
937
790fe579 938 if (smb_buf->WordCount == 4) {
3979877e
SF		 939 __u16 blob_len;
940 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
790fe579 941 if (blob_len > bytes_remaining) {
b6b38f70 942 cERROR(1, "bad security blob length %d", blob_len);
3979877e
SF		 943 rc = -EINVAL;
944 goto ssetup_exit;
945 }
0b3cc858
SF		 946 if (phase == NtLmChallenge) {
947 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
948 /* now goto beginning for ntlmssp authenticate phase */
949 if (rc)
950 goto ssetup_exit;
951 }
952 bcc_ptr += blob_len;
3979877e 953 bytes_remaining -= blob_len;
790fe579 954 }
3979877e
SF		 955
956 /* BB check if Unicode and decode strings */
27b87fe5
JL		 957 if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
958 /* unicode string area must be word-aligned */
959 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
960 ++bcc_ptr;
961 --bytes_remaining;
962 }
59140797 963 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
27b87fe5 964 } else {
63135e08
SF		 965 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
966 ses, nls_cp);
27b87fe5 967 }
50c2f753 968
3979877e 969ssetup_exit:
dfd15c46
JL		 970 if (spnego_key) {
971 key_revoke(spnego_key);
2442421b 972 key_put(spnego_key);
dfd15c46 973 }
750d1151 974 kfree(str_area);
2b149f11
SP		 975 kfree(ntlmsspblob);
976 ntlmsspblob = NULL;
790fe579 977 if (resp_buf_type == CIFS_SMALL_BUFFER) {
b6b38f70 978 cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
3979877e 979 cifs_small_buf_release(iov[0].iov_base);
790fe579 980 } else if (resp_buf_type == CIFS_LARGE_BUFFER)
3979877e
SF		 981 cifs_buf_release(iov[0].iov_base);
982
0b3cc858
SF		 983 /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
984 if ((phase == NtLmChallenge) && (rc == 0))
985 goto ssetup_ntlmssp_authenticate;
986
3979877e
SF		 987 return rc;
988}
Linux 6.x block layer and io_uring tree(s)