Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
sess.c
Go to the documentation of this file.
1 /*
2  * fs/cifs/sess.c
3  *
4  * SMB/CIFS session setup handling routines
5  *
6  * Copyright (c) International Business Machines Corp., 2006, 2009
7  * Author(s): Steve French ([email protected])
8  *
9  * This library is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU Lesser General Public License as published
11  * by the Free Software Foundation; either version 2.1 of the License, or
12  * (at your option) any later version.
13  *
14  * This library is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17  * the GNU Lesser General Public License for more details.
18  *
19  * You should have received a copy of the GNU Lesser General Public License
20  * along with this library; if not, write to the Free Software
21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22  */
23 
24 #include "cifspdu.h"
25 #include "cifsglob.h"
26 #include "cifsproto.h"
27 #include "cifs_unicode.h"
28 #include "cifs_debug.h"
29 #include "ntlmssp.h"
30 #include "nterr.h"
31 #include <linux/utsname.h>
32 #include <linux/slab.h>
33 #include "cifs_spnego.h"
34 
35 /*
36  * Checks if this is the first smb session to be reconnected after
37  * the socket has been reestablished (so we know whether to use vc 0).
38  * Called while holding the cifs_tcp_ses_lock, so do not block
39  */
40 static bool is_first_ses_reconnect(struct cifs_ses *ses)
41 {
42  struct list_head *tmp;
43  struct cifs_ses *tmp_ses;
44 
45  list_for_each(tmp, &ses->server->smb_ses_list) {
46  tmp_ses = list_entry(tmp, struct cifs_ses,
47  smb_ses_list);
48  if (tmp_ses->need_reconnect == false)
49  return false;
50  }
51  /* could not find a session that was already connected,
52  this must be the first one we are reconnecting */
53  return true;
54 }
55 
56 /*
57  * vc number 0 is treated specially by some servers, and should be the
58  * first one we request. After that we can use vcnumbers up to maxvcs,
59  * one for each smb session (some Windows versions set maxvcs incorrectly
60  * so maxvc=1 can be ignored). If we have too many vcs, we can reuse
61  * any vc but zero (some servers reset the connection on vcnum zero)
62  *
63  */
64 static __le16 get_next_vcnum(struct cifs_ses *ses)
65 {
66  __u16 vcnum = 0;
67  struct list_head *tmp;
68  struct cifs_ses *tmp_ses;
69  __u16 max_vcs = ses->server->max_vcs;
70  __u16 i;
71  int free_vc_found = 0;
72 
73  /* Quoting the MS-SMB specification: "Windows-based SMB servers set this
74  field to one but do not enforce this limit, which allows an SMB client
75  to establish more virtual circuits than allowed by this value ... but
76  other server implementations can enforce this limit." */
77  if (max_vcs < 2)
78  max_vcs = 0xFFFF;
79 
80  spin_lock(&cifs_tcp_ses_lock);
81  if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
82  goto get_vc_num_exit; /* vcnum will be zero */
83  for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
84  if (i == 0) /* this is the only connection, use vc 0 */
85  break;
86 
87  free_vc_found = 1;
88 
89  list_for_each(tmp, &ses->server->smb_ses_list) {
90  tmp_ses = list_entry(tmp, struct cifs_ses,
91  smb_ses_list);
92  if (tmp_ses->vcnum == i) {
93  free_vc_found = 0;
94  break; /* found duplicate, try next vcnum */
95  }
96  }
97  if (free_vc_found)
98  break; /* we found a vcnumber that will work - use it */
99  }
100 
101  if (i == 0)
102  vcnum = 0; /* for most common case, ie if one smb session, use
103  vc zero. Also for case when no free vcnum, zero
104  is safest to send (some clients only send zero) */
105  else if (free_vc_found == 0)
106  vcnum = 1; /* we can not reuse vc=0 safely, since some servers
107  reset all uids on that, but 1 is ok. */
108  else
109  vcnum = i;
110  ses->vcnum = vcnum;
111 get_vc_num_exit:
112  spin_unlock(&cifs_tcp_ses_lock);
113 
114  return cpu_to_le16(vcnum);
115 }
116 
117 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
118 {
119  __u32 capabilities = 0;
120 
121  /* init fields common to all four types of SessSetup */
122  /* Note that offsets for first seven fields in req struct are same */
123  /* in CIFS Specs so does not matter which of 3 forms of struct */
124  /* that we use in next few lines */
125  /* Note that header is initialized to zero in header_assemble */
126  pSMB->req.AndXCommand = 0xFF;
127  pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
128  CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
129  USHRT_MAX));
130  pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
131  pSMB->req.VcNumber = get_next_vcnum(ses);
132 
133  /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
134 
135  /* BB verify whether signing required on neg or just on auth frame
136  (and NTLM case) */
137 
138  capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
139  CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
140 
141  if (ses->server->sec_mode &
142  (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
143  pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
144 
145  if (ses->capabilities & CAP_UNICODE) {
146  pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
147  capabilities |= CAP_UNICODE;
148  }
149  if (ses->capabilities & CAP_STATUS32) {
150  pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
151  capabilities |= CAP_STATUS32;
152  }
153  if (ses->capabilities & CAP_DFS) {
154  pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
155  capabilities |= CAP_DFS;
156  }
157  if (ses->capabilities & CAP_UNIX)
158  capabilities |= CAP_UNIX;
159 
160  return capabilities;
161 }
162 
163 static void
164 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
165 {
166  char *bcc_ptr = *pbcc_area;
167  int bytes_ret = 0;
168 
169  /* Copy OS version */
170  bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
171  nls_cp);
172  bcc_ptr += 2 * bytes_ret;
173  bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
174  32, nls_cp);
175  bcc_ptr += 2 * bytes_ret;
176  bcc_ptr += 2; /* trailing null */
177 
178  bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
179  32, nls_cp);
180  bcc_ptr += 2 * bytes_ret;
181  bcc_ptr += 2; /* trailing null */
182 
183  *pbcc_area = bcc_ptr;
184 }
185 
186 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
187  const struct nls_table *nls_cp)
188 {
189  char *bcc_ptr = *pbcc_area;
190  int bytes_ret = 0;
191 
192  /* copy domain */
193  if (ses->domainName == NULL) {
194  /* Sending null domain better than using a bogus domain name (as
195  we did briefly in 2.6.18) since server will use its default */
196  *bcc_ptr = 0;
197  *(bcc_ptr+1) = 0;
198  bytes_ret = 0;
199  } else
200  bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
201  256, nls_cp);
202  bcc_ptr += 2 * bytes_ret;
203  bcc_ptr += 2; /* account for null terminator */
204 
205  *pbcc_area = bcc_ptr;
206 }
207 
208 
209 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
210  const struct nls_table *nls_cp)
211 {
212  char *bcc_ptr = *pbcc_area;
213  int bytes_ret = 0;
214 
215  /* BB FIXME add check that strings total less
216  than 335 or will need to send them as arrays */
217 
218  /* unicode strings, must be word aligned before the call */
219 /* if ((long) bcc_ptr % 2) {
220  *bcc_ptr = 0;
221  bcc_ptr++;
222  } */
223  /* copy user */
224  if (ses->user_name == NULL) {
225  /* null user mount */
226  *bcc_ptr = 0;
227  *(bcc_ptr+1) = 0;
228  } else {
229  bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
230  MAX_USERNAME_SIZE, nls_cp);
231  }
232  bcc_ptr += 2 * bytes_ret;
233  bcc_ptr += 2; /* account for null termination */
234 
235  unicode_domain_string(&bcc_ptr, ses, nls_cp);
236  unicode_oslm_strings(&bcc_ptr, nls_cp);
237 
238  *pbcc_area = bcc_ptr;
239 }
240 
241 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
242  const struct nls_table *nls_cp)
243 {
244  char *bcc_ptr = *pbcc_area;
245 
246  /* copy user */
247  /* BB what about null user mounts - check that we do this BB */
248  /* copy user */
249  if (ses->user_name != NULL) {
250  strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE);
251  bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
252  }
253  /* else null user mount */
254  *bcc_ptr = 0;
255  bcc_ptr++; /* account for null termination */
256 
257  /* copy domain */
258  if (ses->domainName != NULL) {
259  strncpy(bcc_ptr, ses->domainName, 256);
260  bcc_ptr += strnlen(ses->domainName, 256);
261  } /* else we will send a null domain name
262  so the server will default to its own domain */
263  *bcc_ptr = 0;
264  bcc_ptr++;
265 
266  /* BB check for overflow here */
267 
268  strcpy(bcc_ptr, "Linux version ");
269  bcc_ptr += strlen("Linux version ");
270  strcpy(bcc_ptr, init_utsname()->release);
271  bcc_ptr += strlen(init_utsname()->release) + 1;
272 
273  strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
274  bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
275 
276  *pbcc_area = bcc_ptr;
277 }
278 
279 static void
280 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
281  const struct nls_table *nls_cp)
282 {
283  int len;
284  char *data = *pbcc_area;
285 
286  cFYI(1, "bleft %d", bleft);
287 
288  kfree(ses->serverOS);
289  ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
290  cFYI(1, "serverOS=%s", ses->serverOS);
291  len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
292  data += len;
293  bleft -= len;
294  if (bleft <= 0)
295  return;
296 
297  kfree(ses->serverNOS);
298  ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
299  cFYI(1, "serverNOS=%s", ses->serverNOS);
300  len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
301  data += len;
302  bleft -= len;
303  if (bleft <= 0)
304  return;
305 
306  kfree(ses->serverDomain);
307  ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
308  cFYI(1, "serverDomain=%s", ses->serverDomain);
309 
310  return;
311 }
312 
313 static int decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
314  struct cifs_ses *ses,
315  const struct nls_table *nls_cp)
316 {
317  int rc = 0;
318  int len;
319  char *bcc_ptr = *pbcc_area;
320 
321  cFYI(1, "decode sessetup ascii. bleft %d", bleft);
322 
323  len = strnlen(bcc_ptr, bleft);
324  if (len >= bleft)
325  return rc;
326 
327  kfree(ses->serverOS);
328 
329  ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
330  if (ses->serverOS)
331  strncpy(ses->serverOS, bcc_ptr, len);
332  if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
333  cFYI(1, "OS/2 server");
334  ses->flags |= CIFS_SES_OS2;
335  }
336 
337  bcc_ptr += len + 1;
338  bleft -= len + 1;
339 
340  len = strnlen(bcc_ptr, bleft);
341  if (len >= bleft)
342  return rc;
343 
344  kfree(ses->serverNOS);
345 
346  ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
347  if (ses->serverNOS)
348  strncpy(ses->serverNOS, bcc_ptr, len);
349 
350  bcc_ptr += len + 1;
351  bleft -= len + 1;
352 
353  len = strnlen(bcc_ptr, bleft);
354  if (len > bleft)
355  return rc;
356 
357  /* No domain field in LANMAN case. Domain is
358  returned by old servers in the SMB negprot response */
359  /* BB For newer servers which do not support Unicode,
360  but thus do return domain here we could add parsing
361  for it later, but it is not very important */
362  cFYI(1, "ascii: bytes left %d", bleft);
363 
364  return rc;
365 }
366 
367 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
368  struct cifs_ses *ses)
369 {
370  unsigned int tioffset; /* challenge message target info area */
371  unsigned int tilen; /* challenge message target info area length */
372 
373  CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
374 
375  if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
376  cERROR(1, "challenge blob len %d too small", blob_len);
377  return -EINVAL;
378  }
379 
380  if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
381  cERROR(1, "blob signature incorrect %s", pblob->Signature);
382  return -EINVAL;
383  }
384  if (pblob->MessageType != NtLmChallenge) {
385  cERROR(1, "Incorrect message type %d", pblob->MessageType);
386  return -EINVAL;
387  }
388 
389  memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
390  /* BB we could decode pblob->NegotiateFlags; some may be useful */
391  /* In particular we can examine sign flags */
392  /* BB spec says that if AvId field of MsvAvTimestamp is populated then
393  we must set the MIC field of the AUTHENTICATE_MESSAGE */
394  ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
395  tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
396  tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
397  if (tioffset > blob_len || tioffset + tilen > blob_len) {
398  cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
399  return -EINVAL;
400  }
401  if (tilen) {
402  ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
403  if (!ses->auth_key.response) {
404  cERROR(1, "Challenge target info allocation failure");
405  return -ENOMEM;
406  }
407  memcpy(ses->auth_key.response, bcc_ptr + tioffset, tilen);
408  ses->auth_key.len = tilen;
409  }
410 
411  return 0;
412 }
413 
414 /* BB Move to ntlmssp.c eventually */
415 
416 /* We do not malloc the blob, it is passed in pbuffer, because
417  it is fixed size, and small, making this approach cleaner */
418 void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
419  struct cifs_ses *ses)
420 {
421  NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
422  __u32 flags;
423 
424  memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
425  memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
426  sec_blob->MessageType = NtLmNegotiate;
427 
428  /* BB is NTLMV2 session security format easier to use here? */
429  flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
430  NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
431  NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
432  if (ses->server->sec_mode &
433  (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
434  flags |= NTLMSSP_NEGOTIATE_SIGN;
435  if (!ses->server->session_estab)
436  flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
437  }
438 
439  sec_blob->NegotiateFlags = cpu_to_le32(flags);
440 
441  sec_blob->WorkstationName.BufferOffset = 0;
442  sec_blob->WorkstationName.Length = 0;
443  sec_blob->WorkstationName.MaximumLength = 0;
444 
445  /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
446  sec_blob->DomainName.BufferOffset = 0;
447  sec_blob->DomainName.Length = 0;
448  sec_blob->DomainName.MaximumLength = 0;
449 }
450 
451 /* We do not malloc the blob, it is passed in pbuffer, because its
452  maximum possible size is fixed and small, making this approach cleaner.
453  This function returns the length of the data in the blob */
454 int build_ntlmssp_auth_blob(unsigned char *pbuffer,
455  u16 *buflen,
456  struct cifs_ses *ses,
457  const struct nls_table *nls_cp)
458 {
459  int rc;
460  AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
461  __u32 flags;
462  unsigned char *tmp;
463 
464  memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
465  sec_blob->MessageType = NtLmAuthenticate;
466 
467  flags = NTLMSSP_NEGOTIATE_56 |
468  NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
469  NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
470  NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
471  if (ses->server->sec_mode &
472  (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
473  flags |= NTLMSSP_NEGOTIATE_SIGN;
474  if (!ses->server->session_estab)
475  flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
476  }
477 
478  tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
479  sec_blob->NegotiateFlags = cpu_to_le32(flags);
480 
481  sec_blob->LmChallengeResponse.BufferOffset =
482  cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
483  sec_blob->LmChallengeResponse.Length = 0;
484  sec_blob->LmChallengeResponse.MaximumLength = 0;
485 
486  sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
487  rc = setup_ntlmv2_rsp(ses, nls_cp);
488  if (rc) {
489  cERROR(1, "Error %d during NTLMSSP authentication", rc);
490  goto setup_ntlmv2_ret;
491  }
492  memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
493  ses->auth_key.len - CIFS_SESS_KEY_SIZE);
494  tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
495 
496  sec_blob->NtChallengeResponse.Length =
497  cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
498  sec_blob->NtChallengeResponse.MaximumLength =
499  cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
500 
501  if (ses->domainName == NULL) {
502  sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
503  sec_blob->DomainName.Length = 0;
504  sec_blob->DomainName.MaximumLength = 0;
505  tmp += 2;
506  } else {
507  int len;
508  len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
509  MAX_USERNAME_SIZE, nls_cp);
510  len *= 2; /* unicode is 2 bytes each */
511  sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
512  sec_blob->DomainName.Length = cpu_to_le16(len);
513  sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
514  tmp += len;
515  }
516 
517  if (ses->user_name == NULL) {
518  sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
519  sec_blob->UserName.Length = 0;
520  sec_blob->UserName.MaximumLength = 0;
521  tmp += 2;
522  } else {
523  int len;
524  len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name,
525  MAX_USERNAME_SIZE, nls_cp);
526  len *= 2; /* unicode is 2 bytes each */
527  sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
528  sec_blob->UserName.Length = cpu_to_le16(len);
529  sec_blob->UserName.MaximumLength = cpu_to_le16(len);
530  tmp += len;
531  }
532 
533  sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
534  sec_blob->WorkstationName.Length = 0;
535  sec_blob->WorkstationName.MaximumLength = 0;
536  tmp += 2;
537 
538  if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
539  (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
540  && !calc_seckey(ses)) {
541  memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
542  sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
543  sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
544  sec_blob->SessionKey.MaximumLength =
545  cpu_to_le16(CIFS_CPHTXT_SIZE);
546  tmp += CIFS_CPHTXT_SIZE;
547  } else {
548  sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
549  sec_blob->SessionKey.Length = 0;
550  sec_blob->SessionKey.MaximumLength = 0;
551  }
552 
553 setup_ntlmv2_ret:
554  *buflen = tmp - pbuffer;
555  return rc;
556 }
557 
558 int
559 CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
560  const struct nls_table *nls_cp)
561 {
562  int rc = 0;
563  int wct;
564  struct smb_hdr *smb_buf;
565  char *bcc_ptr;
566  char *str_area;
567  SESSION_SETUP_ANDX *pSMB;
568  __u32 capabilities;
569  __u16 count;
570  int resp_buf_type;
571  struct kvec iov[3];
572  enum securityEnum type;
573  __u16 action, bytes_remaining;
574  struct key *spnego_key = NULL;
575  __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
576  u16 blob_len;
577  char *ntlmsspblob = NULL;
578 
579  if (ses == NULL)
580  return -EINVAL;
581 
582  type = ses->server->secType;
583  cFYI(1, "sess setup type %d", type);
584  if (type == RawNTLMSSP) {
585  /* if memory allocation is successful, caller of this function
586  * frees it.
587  */
588  ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
589  if (!ses->ntlmssp)
590  return -ENOMEM;
591  }
592 
593 ssetup_ntlmssp_authenticate:
594  if (phase == NtLmChallenge)
595  phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
596 
597  if (type == LANMAN) {
598 #ifndef CONFIG_CIFS_WEAK_PW_HASH
599  /* LANMAN and plaintext are less secure and off by default.
600  So we make this explicitly be turned on in kconfig (in the
601  build) and turned on at runtime (changed from the default)
602  in proc/fs/cifs or via mount parm. Unfortunately this is
603  needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
604  return -EOPNOTSUPP;
605 #endif
606  wct = 10; /* lanman 2 style sessionsetup */
607  } else if ((type == NTLM) || (type == NTLMv2)) {
608  /* For NTLMv2 failures eventually may need to retry NTLM */
609  wct = 13; /* old style NTLM sessionsetup */
610  } else /* same size: negotiate or auth, NTLMSSP or extended security */
611  wct = 12;
612 
613  rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
614  (void **)&smb_buf);
615  if (rc)
616  return rc;
617 
618  pSMB = (SESSION_SETUP_ANDX *)smb_buf;
619 
620  capabilities = cifs_ssetup_hdr(ses, pSMB);
621 
622  /* we will send the SMB in three pieces:
623  a fixed length beginning part, an optional
624  SPNEGO blob (which can be zero length), and a
625  last part which will include the strings
626  and rest of bcc area. This allows us to avoid
627  a large buffer 17K allocation */
628  iov[0].iov_base = (char *)pSMB;
629  iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
630 
631  /* setting this here allows the code at the end of the function
632  to free the request buffer if there's an error */
633  resp_buf_type = CIFS_SMALL_BUFFER;
634 
635  /* 2000 big enough to fit max user, domain, NOS name etc. */
636  str_area = kmalloc(2000, GFP_KERNEL);
637  if (str_area == NULL) {
638  rc = -ENOMEM;
639  goto ssetup_exit;
640  }
641  bcc_ptr = str_area;
642 
643  ses->flags &= ~CIFS_SES_LANMAN;
644 
645  iov[1].iov_base = NULL;
646  iov[1].iov_len = 0;
647 
648  if (type == LANMAN) {
649 #ifdef CONFIG_CIFS_WEAK_PW_HASH
650  char lnm_session_key[CIFS_AUTH_RESP_SIZE];
651 
652  pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
653 
654  /* no capabilities flags in old lanman negotiation */
655 
656  pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
657 
658  /* Calculate hash with password and copy into bcc_ptr.
659  * Encryption Key (stored as in cryptkey) gets used if the
660  * security mode bit in Negottiate Protocol response states
661  * to use challenge/response method (i.e. Password bit is 1).
662  */
663 
664  rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
665  ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
666  true : false, lnm_session_key);
667 
668  ses->flags |= CIFS_SES_LANMAN;
669  memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
670  bcc_ptr += CIFS_AUTH_RESP_SIZE;
671 
672  /* can not sign if LANMAN negotiated so no need
673  to calculate signing key? but what if server
674  changed to do higher than lanman dialect and
675  we reconnected would we ever calc signing_key? */
676 
677  cFYI(1, "Negotiating LANMAN setting up strings");
678  /* Unicode not allowed for LANMAN dialects */
679  ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
680 #endif
681  } else if (type == NTLM) {
682  pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
683  pSMB->req_no_secext.CaseInsensitivePasswordLength =
684  cpu_to_le16(CIFS_AUTH_RESP_SIZE);
685  pSMB->req_no_secext.CaseSensitivePasswordLength =
686  cpu_to_le16(CIFS_AUTH_RESP_SIZE);
687 
688  /* calculate ntlm response and session key */
689  rc = setup_ntlm_response(ses, nls_cp);
690  if (rc) {
691  cERROR(1, "Error %d during NTLM authentication", rc);
692  goto ssetup_exit;
693  }
694 
695  /* copy ntlm response */
696  memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
697  CIFS_AUTH_RESP_SIZE);
698  bcc_ptr += CIFS_AUTH_RESP_SIZE;
699  memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
700  CIFS_AUTH_RESP_SIZE);
701  bcc_ptr += CIFS_AUTH_RESP_SIZE;
702 
703  if (ses->capabilities & CAP_UNICODE) {
704  /* unicode strings must be word aligned */
705  if (iov[0].iov_len % 2) {
706  *bcc_ptr = 0;
707  bcc_ptr++;
708  }
709  unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
710  } else
711  ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
712  } else if (type == NTLMv2) {
713  pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
714 
715  /* LM2 password would be here if we supported it */
716  pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
717 
718  /* calculate nlmv2 response and session key */
719  rc = setup_ntlmv2_rsp(ses, nls_cp);
720  if (rc) {
721  cERROR(1, "Error %d during NTLMv2 authentication", rc);
722  goto ssetup_exit;
723  }
724  memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
725  ses->auth_key.len - CIFS_SESS_KEY_SIZE);
726  bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
727 
728  /* set case sensitive password length after tilen may get
729  * assigned, tilen is 0 otherwise.
730  */
731  pSMB->req_no_secext.CaseSensitivePasswordLength =
732  cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
733 
734  if (ses->capabilities & CAP_UNICODE) {
735  if (iov[0].iov_len % 2) {
736  *bcc_ptr = 0;
737  bcc_ptr++;
738  }
739  unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
740  } else
741  ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
742  } else if (type == Kerberos) {
743 #ifdef CONFIG_CIFS_UPCALL
744  struct cifs_spnego_msg *msg;
745 
746  spnego_key = cifs_get_spnego_key(ses);
747  if (IS_ERR(spnego_key)) {
748  rc = PTR_ERR(spnego_key);
749  spnego_key = NULL;
750  goto ssetup_exit;
751  }
752 
753  msg = spnego_key->payload.data;
754  /* check version field to make sure that cifs.upcall is
755  sending us a response in an expected form */
756  if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
757  cERROR(1, "incorrect version of cifs.upcall (expected"
758  " %d but got %d)",
759  CIFS_SPNEGO_UPCALL_VERSION, msg->version);
760  rc = -EKEYREJECTED;
761  goto ssetup_exit;
762  }
763 
764  ses->auth_key.response = kmalloc(msg->sesskey_len, GFP_KERNEL);
765  if (!ses->auth_key.response) {
766  cERROR(1, "Kerberos can't allocate (%u bytes) memory",
767  msg->sesskey_len);
768  rc = -ENOMEM;
769  goto ssetup_exit;
770  }
771  memcpy(ses->auth_key.response, msg->data, msg->sesskey_len);
772  ses->auth_key.len = msg->sesskey_len;
773 
774  pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
775  capabilities |= CAP_EXTENDED_SECURITY;
776  pSMB->req.Capabilities = cpu_to_le32(capabilities);
777  iov[1].iov_base = msg->data + msg->sesskey_len;
778  iov[1].iov_len = msg->secblob_len;
779  pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
780 
781  if (ses->capabilities & CAP_UNICODE) {
782  /* unicode strings must be word aligned */
783  if ((iov[0].iov_len + iov[1].iov_len) % 2) {
784  *bcc_ptr = 0;
785  bcc_ptr++;
786  }
787  unicode_oslm_strings(&bcc_ptr, nls_cp);
788  unicode_domain_string(&bcc_ptr, ses, nls_cp);
789  } else
790  /* BB: is this right? */
791  ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
792 #else /* ! CONFIG_CIFS_UPCALL */
793  cERROR(1, "Kerberos negotiated but upcall support disabled!");
794  rc = -ENOSYS;
795  goto ssetup_exit;
796 #endif /* CONFIG_CIFS_UPCALL */
797  } else if (type == RawNTLMSSP) {
798  if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
799  cERROR(1, "NTLMSSP requires Unicode support");
800  rc = -ENOSYS;
801  goto ssetup_exit;
802  }
803 
804  cFYI(1, "ntlmssp session setup phase %d", phase);
805  pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
806  capabilities |= CAP_EXTENDED_SECURITY;
807  pSMB->req.Capabilities |= cpu_to_le32(capabilities);
808  switch(phase) {
809  case NtLmNegotiate:
810  build_ntlmssp_negotiate_blob(
811  pSMB->req.SecurityBlob, ses);
812  iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
813  iov[1].iov_base = pSMB->req.SecurityBlob;
814  pSMB->req.SecurityBlobLength =
815  cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
816  break;
817  case NtLmAuthenticate:
818  /*
819  * 5 is an empirical value, large enough to hold
820  * authenticate message plus max 10 of av paris,
821  * domain, user, workstation names, flags, etc.
822  */
823  ntlmsspblob = kzalloc(
824  5*sizeof(struct _AUTHENTICATE_MESSAGE),
825  GFP_KERNEL);
826  if (!ntlmsspblob) {
827  cERROR(1, "Can't allocate NTLMSSP blob");
828  rc = -ENOMEM;
829  goto ssetup_exit;
830  }
831 
832  rc = build_ntlmssp_auth_blob(ntlmsspblob,
833  &blob_len, ses, nls_cp);
834  if (rc)
835  goto ssetup_exit;
836  iov[1].iov_len = blob_len;
837  iov[1].iov_base = ntlmsspblob;
838  pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
839  /*
840  * Make sure that we tell the server that we are using
841  * the uid that it just gave us back on the response
842  * (challenge)
843  */
844  smb_buf->Uid = ses->Suid;
845  break;
846  default:
847  cERROR(1, "invalid phase %d", phase);
848  rc = -ENOSYS;
849  goto ssetup_exit;
850  }
851  /* unicode strings must be word aligned */
852  if ((iov[0].iov_len + iov[1].iov_len) % 2) {
853  *bcc_ptr = 0;
854  bcc_ptr++;
855  }
856  unicode_oslm_strings(&bcc_ptr, nls_cp);
857  } else {
858  cERROR(1, "secType %d not supported!", type);
859  rc = -ENOSYS;
860  goto ssetup_exit;
861  }
862 
863  iov[2].iov_base = str_area;
864  iov[2].iov_len = (long) bcc_ptr - (long) str_area;
865 
866  count = iov[1].iov_len + iov[2].iov_len;
867  smb_buf->smb_buf_length =
868  cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count);
869 
870  put_bcc(count, smb_buf);
871 
872  rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
873  CIFS_LOG_ERROR);
874  /* SMB request buf freed in SendReceive2 */
875 
876  pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
877  smb_buf = (struct smb_hdr *)iov[0].iov_base;
878 
879  if ((type == RawNTLMSSP) && (resp_buf_type != CIFS_NO_BUFFER) &&
880  (smb_buf->Status.CifsError ==
881  cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
882  if (phase != NtLmNegotiate) {
883  cERROR(1, "Unexpected more processing error");
884  goto ssetup_exit;
885  }
886  /* NTLMSSP Negotiate sent now processing challenge (response) */
887  phase = NtLmChallenge; /* process ntlmssp challenge */
888  rc = 0; /* MORE_PROC rc is not an error here, but expected */
889  }
890  if (rc)
891  goto ssetup_exit;
892 
893  if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
894  rc = -EIO;
895  cERROR(1, "bad word count %d", smb_buf->WordCount);
896  goto ssetup_exit;
897  }
898  action = le16_to_cpu(pSMB->resp.Action);
899  if (action & GUEST_LOGIN)
900  cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
901  ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
902  cFYI(1, "UID = %llu ", ses->Suid);
903  /* response can have either 3 or 4 word count - Samba sends 3 */
904  /* and lanman response is 3 */
905  bytes_remaining = get_bcc(smb_buf);
906  bcc_ptr = pByteArea(smb_buf);
907 
908  if (smb_buf->WordCount == 4) {
909  blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
910  if (blob_len > bytes_remaining) {
911  cERROR(1, "bad security blob length %d", blob_len);
912  rc = -EINVAL;
913  goto ssetup_exit;
914  }
915  if (phase == NtLmChallenge) {
916  rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
917  /* now goto beginning for ntlmssp authenticate phase */
918  if (rc)
919  goto ssetup_exit;
920  }
921  bcc_ptr += blob_len;
922  bytes_remaining -= blob_len;
923  }
924 
925  /* BB check if Unicode and decode strings */
926  if (bytes_remaining == 0) {
927  /* no string area to decode, do nothing */
928  } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
929  /* unicode string area must be word-aligned */
930  if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
931  ++bcc_ptr;
932  --bytes_remaining;
933  }
934  decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
935  } else {
936  rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
937  ses, nls_cp);
938  }
939 
940 ssetup_exit:
941  if (spnego_key) {
942  key_invalidate(spnego_key);
943  key_put(spnego_key);
944  }
945  kfree(str_area);
946  kfree(ntlmsspblob);
947  ntlmsspblob = NULL;
948  if (resp_buf_type == CIFS_SMALL_BUFFER) {
949  cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
950  cifs_small_buf_release(iov[0].iov_base);
951  } else if (resp_buf_type == CIFS_LARGE_BUFFER)
952  cifs_buf_release(iov[0].iov_base);
953 
954  /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
955  if ((phase == NtLmChallenge) && (rc == 0))
956  goto ssetup_ntlmssp_authenticate;
957 
958  return rc;
959 }
Generated on Thu Jan 10 2013 14:46:12 for Linux Kernel by   doxygen 1.8.2