projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Clean up two declarations of blob_len
[deliverable/linux.git] / fs / cifs / sess.c
CommitLineData
3979877e
SF		 1/*
2 * fs/cifs/sess.c
3 *
4 * SMB/CIFS session setup handling routines
5 *
d185cda7 6 * Copyright (c) International Business Machines Corp., 2006, 2009
3979877e
SF		 7 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24#include "cifspdu.h"
25#include "cifsglob.h"
26#include "cifsproto.h"
27#include "cifs_unicode.h"
28#include "cifs_debug.h"
29#include "ntlmssp.h"
30#include "nterr.h"
9c53588e 31#include <linux/utsname.h>
5a0e3ad6 32#include <linux/slab.h>
2442421b 33#include "cifs_spnego.h"
3979877e 34
3979877e 35extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
790fe579 36 unsigned char *p24);
3979877e 37
ebe6aa5a
JL		 38/*
39 * Checks if this is the first smb session to be reconnected after
40 * the socket has been reestablished (so we know whether to use vc 0).
41 * Called while holding the cifs_tcp_ses_lock, so do not block
42 */
eca6acf9
SF		 43static bool is_first_ses_reconnect(struct cifsSesInfo *ses)
44{
45 struct list_head *tmp;
46 struct cifsSesInfo *tmp_ses;
47
48 list_for_each(tmp, &ses->server->smb_ses_list) {
49 tmp_ses = list_entry(tmp, struct cifsSesInfo,
50 smb_ses_list);
51 if (tmp_ses->need_reconnect == false)
52 return false;
53 }
54 /* could not find a session that was already connected,
55 this must be the first one we are reconnecting */
56 return true;
57}
58
59/*
60 * vc number 0 is treated specially by some servers, and should be the
61 * first one we request. After that we can use vcnumbers up to maxvcs,
62 * one for each smb session (some Windows versions set maxvcs incorrectly
63 * so maxvc=1 can be ignored). If we have too many vcs, we can reuse
64 * any vc but zero (some servers reset the connection on vcnum zero)
65 *
66 */
67static __le16 get_next_vcnum(struct cifsSesInfo *ses)
68{
69 __u16 vcnum = 0;
70 struct list_head *tmp;
71 struct cifsSesInfo *tmp_ses;
72 __u16 max_vcs = ses->server->max_vcs;
73 __u16 i;
74 int free_vc_found = 0;
75
76 /* Quoting the MS-SMB specification: "Windows-based SMB servers set this
77 field to one but do not enforce this limit, which allows an SMB client
78 to establish more virtual circuits than allowed by this value ... but
79 other server implementations can enforce this limit." */
80 if (max_vcs < 2)
81 max_vcs = 0xFFFF;
82
83 write_lock(&cifs_tcp_ses_lock);
84 if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
85 goto get_vc_num_exit; /* vcnum will be zero */
86 for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
87 if (i == 0) /* this is the only connection, use vc 0 */
88 break;
89
90 free_vc_found = 1;
91
92 list_for_each(tmp, &ses->server->smb_ses_list) {
93 tmp_ses = list_entry(tmp, struct cifsSesInfo,
94 smb_ses_list);
95 if (tmp_ses->vcnum == i) {
96 free_vc_found = 0;
97 break; /* found duplicate, try next vcnum */
98 }
99 }
100 if (free_vc_found)
101 break; /* we found a vcnumber that will work - use it */
102 }
103
104 if (i == 0)
105 vcnum = 0; /* for most common case, ie if one smb session, use
106 vc zero. Also for case when no free vcnum, zero
107 is safest to send (some clients only send zero) */
108 else if (free_vc_found == 0)
109 vcnum = 1; /* we can not reuse vc=0 safely, since some servers
110 reset all uids on that, but 1 is ok. */
111 else
112 vcnum = i;
113 ses->vcnum = vcnum;
114get_vc_num_exit:
115 write_unlock(&cifs_tcp_ses_lock);
116
051a2a0d 117 return cpu_to_le16(vcnum);
eca6acf9
SF		 118}
119
3979877e
SF		 120static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
121{
122 __u32 capabilities = 0;
123
124 /* init fields common to all four types of SessSetup */
eca6acf9
SF		 125 /* Note that offsets for first seven fields in req struct are same */
126 /* in CIFS Specs so does not matter which of 3 forms of struct */
127 /* that we use in next few lines */
128 /* Note that header is initialized to zero in header_assemble */
3979877e
SF		 129 pSMB->req.AndXCommand = 0xFF;
130 pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
131 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
eca6acf9 132 pSMB->req.VcNumber = get_next_vcnum(ses);
3979877e
SF		 133
134 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
135
790fe579 136 /* BB verify whether signing required on neg or just on auth frame
3979877e
SF		 137 (and NTLM case) */
138
139 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
140 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
141
790fe579
SF		 142 if (ses->server->secMode &
143 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
3979877e
SF		 144 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
145
146 if (ses->capabilities & CAP_UNICODE) {
147 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
148 capabilities |= CAP_UNICODE;
149 }
150 if (ses->capabilities & CAP_STATUS32) {
151 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
152 capabilities |= CAP_STATUS32;
153 }
154 if (ses->capabilities & CAP_DFS) {
155 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
156 capabilities |= CAP_DFS;
157 }
26f57364 158 if (ses->capabilities & CAP_UNIX)
3979877e 159 capabilities |= CAP_UNIX;
3979877e 160
3979877e
SF		 161 return capabilities;
162}
163
0d3a01fa
JL		 164static void
165unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
166{
167 char *bcc_ptr = *pbcc_area;
168 int bytes_ret = 0;
169
170 /* Copy OS version */
171 bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
172 nls_cp);
173 bcc_ptr += 2 * bytes_ret;
174 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
175 32, nls_cp);
176 bcc_ptr += 2 * bytes_ret;
177 bcc_ptr += 2; /* trailing null */
178
179 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
180 32, nls_cp);
181 bcc_ptr += 2 * bytes_ret;
182 bcc_ptr += 2; /* trailing null */
183
184 *pbcc_area = bcc_ptr;
185}
186
187static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
188 const struct nls_table *nls_cp)
189{
190 char *bcc_ptr = *pbcc_area;
191 int bytes_ret = 0;
192
193 /* copy domain */
194 if (ses->domainName == NULL) {
195 /* Sending null domain better than using a bogus domain name (as
196 we did briefly in 2.6.18) since server will use its default */
197 *bcc_ptr = 0;
198 *(bcc_ptr+1) = 0;
199 bytes_ret = 0;
200 } else
201 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
202 256, nls_cp);
203 bcc_ptr += 2 * bytes_ret;
204 bcc_ptr += 2; /* account for null terminator */
205
206 *pbcc_area = bcc_ptr;
207}
208
209
3870253e 210static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
790fe579 211 const struct nls_table *nls_cp)
3979877e 212{
790fe579 213 char *bcc_ptr = *pbcc_area;
3979877e
SF		 214 int bytes_ret = 0;
215
216 /* BB FIXME add check that strings total less
217 than 335 or will need to send them as arrays */
218
0223cf0b
SF		 219 /* unicode strings, must be word aligned before the call */
220/* if ((long) bcc_ptr % 2) {
3979877e
SF		 221 *bcc_ptr = 0;
222 bcc_ptr++;
0223cf0b 223 } */
3979877e 224 /* copy user */
790fe579 225 if (ses->userName == NULL) {
6e659c63
SF		 226 /* null user mount */
227 *bcc_ptr = 0;
228 *(bcc_ptr+1) = 0;
301a6a31 229 } else {
3979877e 230 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
301a6a31 231 MAX_USERNAME_SIZE, nls_cp);
3979877e
SF		 232 }
233 bcc_ptr += 2 * bytes_ret;
234 bcc_ptr += 2; /* account for null termination */
3979877e 235
0d3a01fa
JL		 236 unicode_domain_string(&bcc_ptr, ses, nls_cp);
237 unicode_oslm_strings(&bcc_ptr, nls_cp);
3979877e
SF		 238
239 *pbcc_area = bcc_ptr;
240}
241
3870253e 242static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
790fe579 243 const struct nls_table *nls_cp)
3979877e 244{
790fe579 245 char *bcc_ptr = *pbcc_area;
3979877e
SF		 246
247 /* copy user */
248 /* BB what about null user mounts - check that we do this BB */
790fe579
SF		 249 /* copy user */
250 if (ses->userName == NULL) {
251 /* BB what about null user mounts - check that we do this BB */
301a6a31
SF		 252 } else {
253 strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
790fe579 254 }
301a6a31 255 bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
3979877e 256 *bcc_ptr = 0;
790fe579 257 bcc_ptr++; /* account for null termination */
3979877e 258
790fe579
SF		 259 /* copy domain */
260
261 if (ses->domainName != NULL) {
262 strncpy(bcc_ptr, ses->domainName, 256);
3979877e 263 bcc_ptr += strnlen(ses->domainName, 256);
790fe579 264 } /* else we will send a null domain name
6e659c63 265 so the server will default to its own domain */
3979877e
SF		 266 *bcc_ptr = 0;
267 bcc_ptr++;
268
269 /* BB check for overflow here */
270
271 strcpy(bcc_ptr, "Linux version ");
272 bcc_ptr += strlen("Linux version ");
96b644bd
SH		 273 strcpy(bcc_ptr, init_utsname()->release);
274 bcc_ptr += strlen(init_utsname()->release) + 1;
3979877e
SF		 275
276 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
277 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
278
790fe579 279 *pbcc_area = bcc_ptr;
3979877e
SF		 280}
281
59140797
JL		 282static void
283decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
284 const struct nls_table *nls_cp)
3979877e 285{
59140797 286 int len;
790fe579 287 char *data = *pbcc_area;
3979877e 288
b6b38f70 289 cFYI(1, "bleft %d", bleft);
3979877e 290
27b87fe5
JL		 291 /*
292 * Windows servers do not always double null terminate their final
293 * Unicode string. Check to see if there are an uneven number of bytes
294 * left. If so, then add an extra NULL pad byte to the end of the
295 * response.
296 *
297 * See section 2.7.2 in "Implementing CIFS" for details
298 */
299 if (bleft % 2) {
300 data[bleft] = 0;
301 ++bleft;
302 }
50c2f753 303
26f57364 304 kfree(ses->serverOS);
d185cda7 305 ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 306 cFYI(1, "serverOS=%s", ses->serverOS);
59140797
JL		 307 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
308 data += len;
309 bleft -= len;
310 if (bleft <= 0)
311 return;
3979877e 312
26f57364 313 kfree(ses->serverNOS);
d185cda7 314 ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 315 cFYI(1, "serverNOS=%s", ses->serverNOS);
59140797
JL		 316 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
317 data += len;
318 bleft -= len;
319 if (bleft <= 0)
320 return;
790fe579 321
26f57364 322 kfree(ses->serverDomain);
d185cda7 323 ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 324 cFYI(1, "serverDomain=%s", ses->serverDomain);
790fe579 325
59140797 326 return;
3979877e
SF		 327}
328
790fe579
SF		 329static int decode_ascii_ssetup(char **pbcc_area, int bleft,
330 struct cifsSesInfo *ses,
331 const struct nls_table *nls_cp)
3979877e
SF		 332{
333 int rc = 0;
334 int len;
790fe579 335 char *bcc_ptr = *pbcc_area;
3979877e 336
b6b38f70 337 cFYI(1, "decode sessetup ascii. bleft %d", bleft);
50c2f753 338
3979877e 339 len = strnlen(bcc_ptr, bleft);
790fe579 340 if (len >= bleft)
3979877e 341 return rc;
50c2f753 342
26f57364 343 kfree(ses->serverOS);
3979877e
SF		 344
345 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
790fe579 346 if (ses->serverOS)
3979877e 347 strncpy(ses->serverOS, bcc_ptr, len);
790fe579 348 if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
b6b38f70 349 cFYI(1, "OS/2 server");
9ac00b7d
SF		 350 ses->flags |= CIFS_SES_OS2;
351 }
3979877e
SF		 352
353 bcc_ptr += len + 1;
354 bleft -= len + 1;
355
356 len = strnlen(bcc_ptr, bleft);
790fe579 357 if (len >= bleft)
3979877e
SF		 358 return rc;
359
26f57364 360 kfree(ses->serverNOS);
3979877e
SF		 361
362 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
790fe579 363 if (ses->serverNOS)
3979877e
SF		 364 strncpy(ses->serverNOS, bcc_ptr, len);
365
366 bcc_ptr += len + 1;
367 bleft -= len + 1;
368
790fe579
SF		 369 len = strnlen(bcc_ptr, bleft);
370 if (len > bleft)
371 return rc;
3979877e 372
9ac00b7d
SF		 373 /* No domain field in LANMAN case. Domain is
374 returned by old servers in the SMB negprot response */
375 /* BB For newer servers which do not support Unicode,
376 but thus do return domain here we could add parsing
377 for it later, but it is not very important */
b6b38f70 378 cFYI(1, "ascii: bytes left %d", bleft);
3979877e
SF		 379
380 return rc;
381}
382
0b3cc858
SF		 383static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
384 struct cifsSesInfo *ses)
385{
2b149f11
SP		 386 unsigned int tioffset; /* challenge message target info area */
387 unsigned int tilen; /* challenge message target info area length */
388
0b3cc858
SF		 389 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
390
391 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
b6b38f70 392 cERROR(1, "challenge blob len %d too small", blob_len);
0b3cc858
SF		 393 return -EINVAL;
394 }
395
396 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
b6b38f70 397 cERROR(1, "blob signature incorrect %s", pblob->Signature);
0b3cc858
SF		 398 return -EINVAL;
399 }
400 if (pblob->MessageType != NtLmChallenge) {
b6b38f70 401 cERROR(1, "Incorrect message type %d", pblob->MessageType);
0b3cc858
SF		 402 return -EINVAL;
403 }
404
5d0d2882 405 memcpy(ses->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
0b3cc858
SF		 406 /* BB we could decode pblob->NegotiateFlags; some may be useful */
407 /* In particular we can examine sign flags */
408 /* BB spec says that if AvId field of MsvAvTimestamp is populated then
409 we must set the MIC field of the AUTHENTICATE_MESSAGE */
410
2b149f11
SP		 411 tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
412 tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
413 ses->tilen = tilen;
414 if (ses->tilen) {
415 ses->tiblob = kmalloc(tilen, GFP_KERNEL);
416 if (!ses->tiblob) {
417 cERROR(1, "Challenge target info allocation failure");
418 ses->tilen = 0;
419 return -ENOMEM;
420 }
421 memcpy(ses->tiblob, bcc_ptr + tioffset, ses->tilen);
422 }
423
0b3cc858
SF		 424 return 0;
425}
426
427#ifdef CONFIG_CIFS_EXPERIMENTAL
428/* BB Move to ntlmssp.c eventually */
429
430/* We do not malloc the blob, it is passed in pbuffer, because
431 it is fixed size, and small, making this approach cleaner */
432static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
433 struct cifsSesInfo *ses)
434{
435 NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
436 __u32 flags;
437
438 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
439 sec_blob->MessageType = NtLmNegotiate;
440
441 /* BB is NTLMV2 session security format easier to use here? */
442 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
443 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
2b149f11 444 NTLMSSP_NEGOTIATE_NTLM;
0b3cc858 445 if (ses->server->secMode &
745e507a
SF		 446 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
447 flags |= NTLMSSP_NEGOTIATE_SIGN;
448 if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
449 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
0b3cc858
SF		 450
451 sec_blob->NegotiateFlags |= cpu_to_le32(flags);
452
453 sec_blob->WorkstationName.BufferOffset = 0;
454 sec_blob->WorkstationName.Length = 0;
455 sec_blob->WorkstationName.MaximumLength = 0;
456
457 /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
458 sec_blob->DomainName.BufferOffset = 0;
459 sec_blob->DomainName.Length = 0;
460 sec_blob->DomainName.MaximumLength = 0;
461}
462
463/* We do not malloc the blob, it is passed in pbuffer, because its
464 maximum possible size is fixed and small, making this approach cleaner.
465 This function returns the length of the data in the blob */
466static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
89f150f4 467 u16 *buflen,
0b3cc858 468 struct cifsSesInfo *ses,
2b149f11 469 const struct nls_table *nls_cp)
0b3cc858 470{
2b149f11
SP		 471 int rc;
472 unsigned int size;
0b3cc858
SF		 473 AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
474 __u32 flags;
475 unsigned char *tmp;
2b149f11 476 struct ntlmv2_resp ntlmv2_response = {};
0b3cc858
SF		 477
478 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
479 sec_blob->MessageType = NtLmAuthenticate;
480
481 flags = NTLMSSP_NEGOTIATE_56 |
482 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
483 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
2b149f11 484 NTLMSSP_NEGOTIATE_NTLM;
0b3cc858
SF		 485 if (ses->server->secMode &
486 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
487 flags |= NTLMSSP_NEGOTIATE_SIGN;
488 if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
489 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
490
491 tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
492 sec_blob->NegotiateFlags |= cpu_to_le32(flags);
493
494 sec_blob->LmChallengeResponse.BufferOffset =
495 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
496 sec_blob->LmChallengeResponse.Length = 0;
497 sec_blob->LmChallengeResponse.MaximumLength = 0;
498
c8e56f1f 499 sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
2b149f11
SP		 500 rc = setup_ntlmv2_rsp(ses, (char *)&ntlmv2_response, nls_cp);
501 if (rc) {
502 cERROR(1, "Error %d during NTLMSSP authentication", rc);
503 goto setup_ntlmv2_ret;
504 }
505 size = sizeof(struct ntlmv2_resp);
506 memcpy(tmp, (char *)&ntlmv2_response, size);
507 tmp += size;
508 if (ses->tilen > 0) {
509 memcpy(tmp, ses->tiblob, ses->tilen);
510 tmp += ses->tilen;
511 }
c8e56f1f 512
2b149f11
SP		 513 sec_blob->NtChallengeResponse.Length = cpu_to_le16(size + ses->tilen);
514 sec_blob->NtChallengeResponse.MaximumLength =
515 cpu_to_le16(size + ses->tilen);
516 kfree(ses->tiblob);
517 ses->tiblob = NULL;
518 ses->tilen = 0;
0b3cc858
SF		 519
520 if (ses->domainName == NULL) {
521 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
522 sec_blob->DomainName.Length = 0;
523 sec_blob->DomainName.MaximumLength = 0;
524 tmp += 2;
525 } else {
526 int len;
527 len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
528 MAX_USERNAME_SIZE, nls_cp);
529 len *= 2; /* unicode is 2 bytes each */
0b3cc858
SF		 530 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
531 sec_blob->DomainName.Length = cpu_to_le16(len);
532 sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
533 tmp += len;
534 }
535
536 if (ses->userName == NULL) {
537 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
538 sec_blob->UserName.Length = 0;
539 sec_blob->UserName.MaximumLength = 0;
540 tmp += 2;
541 } else {
542 int len;
543 len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
544 MAX_USERNAME_SIZE, nls_cp);
545 len *= 2; /* unicode is 2 bytes each */
0b3cc858
SF		 546 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
547 sec_blob->UserName.Length = cpu_to_le16(len);
548 sec_blob->UserName.MaximumLength = cpu_to_le16(len);
549 tmp += len;
550 }
551
552 sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
553 sec_blob->WorkstationName.Length = 0;
554 sec_blob->WorkstationName.MaximumLength = 0;
555 tmp += 2;
556
c8e56f1f
SF		 557 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
558 sec_blob->SessionKey.Length = 0;
559 sec_blob->SessionKey.MaximumLength = 0;
2b149f11
SP		 560
561setup_ntlmv2_ret:
89f150f4
SP		 562 *buflen = tmp - pbuffer;
563 return rc;
0b3cc858
SF		 564}
565
566
567static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
568 struct cifsSesInfo *ses)
569{
570 build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
571 pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
572
573 return;
574}
0b3cc858
SF		 575#endif
576
790fe579 577int
ebe6aa5a
JL		 578CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
579 const struct nls_table *nls_cp)
3979877e
SF		 580{
581 int rc = 0;
582 int wct;
3979877e
SF		 583 struct smb_hdr *smb_buf;
584 char *bcc_ptr;
750d1151 585 char *str_area;
3979877e
SF		 586 SESSION_SETUP_ANDX *pSMB;
587 __u32 capabilities;
588 int count;
2442421b
SF		 589 int resp_buf_type;
590 struct kvec iov[3];
3979877e
SF		 591 enum securityEnum type;
592 __u16 action;
593 int bytes_remaining;
2442421b 594 struct key *spnego_key = NULL;
0b3cc858 595 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
89f150f4 596 u16 blob_len;
2b149f11 597 char *ntlmsspblob = NULL;
254e55ed 598
790fe579 599 if (ses == NULL)
3979877e
SF		 600 return -EINVAL;
601
602 type = ses->server->secType;
f40c5628 603
b6b38f70 604 cFYI(1, "sess setup type %d", type);
0b3cc858
SF		 605ssetup_ntlmssp_authenticate:
606 if (phase == NtLmChallenge)
607 phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
608
790fe579 609 if (type == LANMAN) {
3979877e
SF		 610#ifndef CONFIG_CIFS_WEAK_PW_HASH
611 /* LANMAN and plaintext are less secure and off by default.
612 So we make this explicitly be turned on in kconfig (in the
613 build) and turned on at runtime (changed from the default)
614 in proc/fs/cifs or via mount parm. Unfortunately this is
615 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
616 return -EOPNOTSUPP;
617#endif
618 wct = 10; /* lanman 2 style sessionsetup */
790fe579 619 } else if ((type == NTLM) || (type == NTLMv2)) {
9312f675 620 /* For NTLMv2 failures eventually may need to retry NTLM */
3979877e 621 wct = 13; /* old style NTLM sessionsetup */
790fe579 622 } else /* same size: negotiate or auth, NTLMSSP or extended security */
3979877e
SF		 623 wct = 12;
624
625 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
626 (void **)&smb_buf);
790fe579 627 if (rc)
3979877e
SF		 628 return rc;
629
630 pSMB = (SESSION_SETUP_ANDX *)smb_buf;
631
632 capabilities = cifs_ssetup_hdr(ses, pSMB);
750d1151 633
2442421b
SF		 634 /* we will send the SMB in three pieces:
635 a fixed length beginning part, an optional
636 SPNEGO blob (which can be zero length), and a
637 last part which will include the strings
638 and rest of bcc area. This allows us to avoid
639 a large buffer 17K allocation */
790fe579
SF		 640 iov[0].iov_base = (char *)pSMB;
641 iov[0].iov_len = smb_buf->smb_buf_length + 4;
750d1151 642
2442421b
SF		 643 /* setting this here allows the code at the end of the function
644 to free the request buffer if there's an error */
645 resp_buf_type = CIFS_SMALL_BUFFER;
646
750d1151
SF		 647 /* 2000 big enough to fit max user, domain, NOS name etc. */
648 str_area = kmalloc(2000, GFP_KERNEL);
5e6e6232 649 if (str_area == NULL) {
2442421b
SF		 650 rc = -ENOMEM;
651 goto ssetup_exit;
5e6e6232 652 }
750d1151 653 bcc_ptr = str_area;
3979877e 654
9ac00b7d
SF		 655 ses->flags &= ~CIFS_SES_LANMAN;
656
2442421b
SF		 657 iov[1].iov_base = NULL;
658 iov[1].iov_len = 0;
659
790fe579 660 if (type == LANMAN) {
3979877e 661#ifdef CONFIG_CIFS_WEAK_PW_HASH
7c7b25bc 662 char lnm_session_key[CIFS_SESS_KEY_SIZE];
3979877e 663
c76da9da
SF		 664 pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
665
3979877e
SF		 666 /* no capabilities flags in old lanman negotiation */
667
790fe579 668 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e
SF		 669 /* BB calculate hash with password */
670 /* and copy into bcc */
671
5d0d2882 672 calc_lanman_hash(ses->password, ses->cryptKey,
4e53a3fb
JL		 673 ses->server->secMode & SECMODE_PW_ENCRYPT ?
674 true : false, lnm_session_key);
675
790fe579 676 ses->flags |= CIFS_SES_LANMAN;
7c7b25bc
SF		 677 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
678 bcc_ptr += CIFS_SESS_KEY_SIZE;
3979877e
SF		 679
680 /* can not sign if LANMAN negotiated so no need
681 to calculate signing key? but what if server
682 changed to do higher than lanman dialect and
683 we reconnected would we ever calc signing_key? */
684
b6b38f70 685 cFYI(1, "Negotiating LANMAN setting up strings");
3979877e
SF		 686 /* Unicode not allowed for LANMAN dialects */
687 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
790fe579 688#endif
3979877e 689 } else if (type == NTLM) {
7c7b25bc 690 char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3979877e
SF		 691
692 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
693 pSMB->req_no_secext.CaseInsensitivePasswordLength =
7c7b25bc 694 cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e 695 pSMB->req_no_secext.CaseSensitivePasswordLength =
7c7b25bc 696 cpu_to_le16(CIFS_SESS_KEY_SIZE);
50c2f753 697
3979877e 698 /* calculate session key */
5d0d2882 699 SMBNTencrypt(ses->password, ses->cryptKey, ntlm_session_key);
3979877e 700
5d0d2882
SP		 701 cifs_calculate_session_key(&ses->auth_key,
702 ntlm_session_key, ses->password);
3979877e 703 /* copy session key */
790fe579 704 memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc 705 bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579 706 memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc 707 bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579 708 if (ses->capabilities & CAP_UNICODE) {
0223cf0b
SF		 709 /* unicode strings must be word aligned */
710 if (iov[0].iov_len % 2) {
711 *bcc_ptr = 0;
790fe579
SF		 712 bcc_ptr++;
713 }
7c7b25bc 714 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b 715 } else
7c7b25bc
SF		 716 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
717 } else if (type == NTLMv2) {
790fe579 718 char *v2_sess_key =
6d027cfd 719 kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
f64b23ae
SF		 720
721 /* BB FIXME change all users of v2_sess_key to
722 struct ntlmv2_resp */
7c7b25bc 723
790fe579 724 if (v2_sess_key == NULL) {
2442421b
SF		 725 rc = -ENOMEM;
726 goto ssetup_exit;
7c7b25bc
SF		 727 }
728
729 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
730
731 /* LM2 password would be here if we supported it */
732 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
733 /* cpu_to_le16(LM2_SESS_KEY_SIZE); */
734
7c7b25bc 735 /* calculate session key */
2b149f11
SP		 736 rc = setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
737 if (rc) {
738 cERROR(1, "Error %d during NTLMv2 authentication", rc);
739 kfree(v2_sess_key);
740 goto ssetup_exit;
741 }
3870253e 742 memcpy(bcc_ptr, (char *)v2_sess_key,
2b149f11 743 sizeof(struct ntlmv2_resp));
f64b23ae
SF		 744 bcc_ptr += sizeof(struct ntlmv2_resp);
745 kfree(v2_sess_key);
c9928f70
SP		 746 /* set case sensitive password length after tilen may get
747 * assigned, tilen is 0 otherwise.
748 */
749 pSMB->req_no_secext.CaseSensitivePasswordLength =
750 cpu_to_le16(sizeof(struct ntlmv2_resp) + ses->tilen);
2b149f11
SP		 751 if (ses->tilen > 0) {
752 memcpy(bcc_ptr, ses->tiblob, ses->tilen);
753 bcc_ptr += ses->tilen;
754 /* we never did allocate ses->domainName to free */
755 kfree(ses->tiblob);
756 ses->tiblob = NULL;
757 ses->tilen = 0;
758 }
c9928f70 759
790fe579
SF		 760 if (ses->capabilities & CAP_UNICODE) {
761 if (iov[0].iov_len % 2) {
0223cf0b 762 *bcc_ptr = 0;
26f57364
SF		 763 bcc_ptr++;
764 }
3979877e 765 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b 766 } else
3979877e 767 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
26efa0ba 768 } else if (type == Kerberos) {
2442421b
SF		 769#ifdef CONFIG_CIFS_UPCALL
770 struct cifs_spnego_msg *msg;
771 spnego_key = cifs_get_spnego_key(ses);
772 if (IS_ERR(spnego_key)) {
773 rc = PTR_ERR(spnego_key);
774 spnego_key = NULL;
775 goto ssetup_exit;
776 }
777
778 msg = spnego_key->payload.data;
6ce5eecb
SF		 779 /* check version field to make sure that cifs.upcall is
780 sending us a response in an expected form */
781 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
b6b38f70 782 cERROR(1, "incorrect version of cifs.upcall (expected"
6ce5eecb 783 " %d but got %d)",
b6b38f70 784 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
6ce5eecb
SF		 785 rc = -EKEYREJECTED;
786 goto ssetup_exit;
787 }
2442421b
SF		 788 /* bail out if key is too long */
789 if (msg->sesskey_len >
5d0d2882 790 sizeof(ses->auth_key.data.krb5)) {
b6b38f70
JP		 791 cERROR(1, "Kerberos signing key too long (%u bytes)",
792 msg->sesskey_len);
2442421b
SF		 793 rc = -EOVERFLOW;
794 goto ssetup_exit;
795 }
5d0d2882
SP		 796 ses->auth_key.len = msg->sesskey_len;
797 memcpy(ses->auth_key.data.krb5, msg->data, msg->sesskey_len);
3979877e
SF		 798 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
799 capabilities |= CAP_EXTENDED_SECURITY;
800 pSMB->req.Capabilities = cpu_to_le32(capabilities);
2442421b
SF		 801 iov[1].iov_base = msg->data + msg->sesskey_len;
802 iov[1].iov_len = msg->secblob_len;
803 pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
804
805 if (ses->capabilities & CAP_UNICODE) {
806 /* unicode strings must be word aligned */
28c5a02a 807 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
2442421b
SF		 808 *bcc_ptr = 0;
809 bcc_ptr++;
810 }
811 unicode_oslm_strings(&bcc_ptr, nls_cp);
812 unicode_domain_string(&bcc_ptr, ses, nls_cp);
813 } else
814 /* BB: is this right? */
815 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
816#else /* ! CONFIG_CIFS_UPCALL */
b6b38f70 817 cERROR(1, "Kerberos negotiated but upcall support disabled!");
2442421b
SF		 818 rc = -ENOSYS;
819 goto ssetup_exit;
820#endif /* CONFIG_CIFS_UPCALL */
821 } else {
0b3cc858 822#ifdef CONFIG_CIFS_EXPERIMENTAL
f46c7234 823 if (type == RawNTLMSSP) {
0b3cc858 824 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
b6b38f70 825 cERROR(1, "NTLMSSP requires Unicode support");
0b3cc858
SF		 826 rc = -ENOSYS;
827 goto ssetup_exit;
828 }
829
b6b38f70 830 cFYI(1, "ntlmssp session setup phase %d", phase);
0b3cc858
SF		 831 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
832 capabilities |= CAP_EXTENDED_SECURITY;
833 pSMB->req.Capabilities |= cpu_to_le32(capabilities);
834 if (phase == NtLmNegotiate) {
835 setup_ntlmssp_neg_req(pSMB, ses);
836 iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
2b149f11 837 iov[1].iov_base = &pSMB->req.SecurityBlob[0];
0b3cc858 838 } else if (phase == NtLmAuthenticate) {
2b149f11
SP		 839 /* 5 is an empirical value, large enought to
840 * hold authenticate message, max 10 of
841 * av paris, doamin,user,workstation mames,
842 * flags etc..
843 */
844 ntlmsspblob = kmalloc(
845 5*sizeof(struct _AUTHENTICATE_MESSAGE),
846 GFP_KERNEL);
847 if (!ntlmsspblob) {
848 cERROR(1, "Can't allocate NTLMSSP");
849 rc = -ENOMEM;
850 goto ssetup_exit;
851 }
852
89f150f4
SP		 853 rc = build_ntlmssp_auth_blob(ntlmsspblob,
854 &blob_len, ses, nls_cp);
855 if (rc)
856 goto ssetup_exit;
0b3cc858 857 iov[1].iov_len = blob_len;
2b149f11
SP		 858 iov[1].iov_base = ntlmsspblob;
859 pSMB->req.SecurityBlobLength =
860 cpu_to_le16(blob_len);
844823cb
SF		 861 /* Make sure that we tell the server that we
862 are using the uid that it just gave us back
863 on the response (challenge) */
864 smb_buf->Uid = ses->Suid;
0b3cc858 865 } else {
b6b38f70 866 cERROR(1, "invalid phase %d", phase);
0b3cc858
SF		 867 rc = -ENOSYS;
868 goto ssetup_exit;
869 }
0b3cc858
SF		 870 /* unicode strings must be word aligned */
871 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
872 *bcc_ptr = 0;
873 bcc_ptr++;
874 }
875 unicode_oslm_strings(&bcc_ptr, nls_cp);
876 } else {
b6b38f70 877 cERROR(1, "secType %d not supported!", type);
0b3cc858
SF		 878 rc = -ENOSYS;
879 goto ssetup_exit;
880 }
881#else
b6b38f70 882 cERROR(1, "secType %d not supported!", type);
2442421b
SF		 883 rc = -ENOSYS;
884 goto ssetup_exit;
0b3cc858 885#endif
3979877e
SF		 886 }
887
2442421b
SF		 888 iov[2].iov_base = str_area;
889 iov[2].iov_len = (long) bcc_ptr - (long) str_area;
890
891 count = iov[1].iov_len + iov[2].iov_len;
3979877e
SF		 892 smb_buf->smb_buf_length += count;
893
3979877e
SF		 894 BCC_LE(smb_buf) = cpu_to_le16(count);
895
2442421b 896 rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
133672ef 897 CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
3979877e
SF		 898 /* SMB request buf freed in SendReceive2 */
899
b6b38f70 900 cFYI(1, "ssetup rc from sendrecv2 is %d", rc);
3979877e
SF		 901
902 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
903 smb_buf = (struct smb_hdr *)iov[0].iov_base;
904
0b3cc858
SF		 905 if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
906 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
907 if (phase != NtLmNegotiate) {
b6b38f70 908 cERROR(1, "Unexpected more processing error");
0b3cc858
SF		 909 goto ssetup_exit;
910 }
911 /* NTLMSSP Negotiate sent now processing challenge (response) */
912 phase = NtLmChallenge; /* process ntlmssp challenge */
913 rc = 0; /* MORE_PROC rc is not an error here, but expected */
914 }
915 if (rc)
916 goto ssetup_exit;
917
790fe579 918 if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
3979877e 919 rc = -EIO;
b6b38f70 920 cERROR(1, "bad word count %d", smb_buf->WordCount);
3979877e
SF		 921 goto ssetup_exit;
922 }
923 action = le16_to_cpu(pSMB->resp.Action);
924 if (action & GUEST_LOGIN)
b6b38f70 925 cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
3979877e 926 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
b6b38f70 927 cFYI(1, "UID = %d ", ses->Suid);
3979877e
SF		 928 /* response can have either 3 or 4 word count - Samba sends 3 */
929 /* and lanman response is 3 */
930 bytes_remaining = BCC(smb_buf);
931 bcc_ptr = pByteArea(smb_buf);
932
790fe579 933 if (smb_buf->WordCount == 4) {
3979877e 934 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
790fe579 935 if (blob_len > bytes_remaining) {
b6b38f70 936 cERROR(1, "bad security blob length %d", blob_len);
3979877e
SF		 937 rc = -EINVAL;
938 goto ssetup_exit;
939 }
0b3cc858
SF		 940 if (phase == NtLmChallenge) {
941 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
942 /* now goto beginning for ntlmssp authenticate phase */
943 if (rc)
944 goto ssetup_exit;
945 }
946 bcc_ptr += blob_len;
3979877e 947 bytes_remaining -= blob_len;
790fe579 948 }
3979877e
SF		 949
950 /* BB check if Unicode and decode strings */
27b87fe5
JL		 951 if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
952 /* unicode string area must be word-aligned */
953 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
954 ++bcc_ptr;
955 --bytes_remaining;
956 }
59140797 957 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
27b87fe5 958 } else {
63135e08
SF		 959 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
960 ses, nls_cp);
27b87fe5 961 }
50c2f753 962
3979877e 963ssetup_exit:
dfd15c46
JL		 964 if (spnego_key) {
965 key_revoke(spnego_key);
2442421b 966 key_put(spnego_key);
dfd15c46 967 }
750d1151 968 kfree(str_area);
2b149f11
SP		 969 kfree(ntlmsspblob);
970 ntlmsspblob = NULL;
790fe579 971 if (resp_buf_type == CIFS_SMALL_BUFFER) {
b6b38f70 972 cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
3979877e 973 cifs_small_buf_release(iov[0].iov_base);
790fe579 974 } else if (resp_buf_type == CIFS_LARGE_BUFFER)
3979877e
SF		 975 cifs_buf_release(iov[0].iov_base);
976
0b3cc858
SF		 977 /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
978 if ((phase == NtLmChallenge) && (rc == 0))
979 goto ssetup_ntlmssp_authenticate;
980
3979877e
SF		 981 return rc;
982}
Linux kernel - Deliverables
This page took 1.399126 seconds and 5 git commands to generate.