LXR linux/fs/cifs/sess.c

   1// SPDX-License-Identifier: LGPL-2.1
   2/*
   3 *   fs/cifs/sess.c
   4 *
   5 *   SMB/CIFS session setup handling routines
   6 *
   7 *   Copyright (c) International Business Machines  Corp., 2006, 2009
   8 *   Author(s): Steve French (sfrench@us.ibm.com)
   9 *
  10 */
  11
  12#include "cifspdu.h"
  13#include "cifsglob.h"
  14#include "cifsproto.h"
  15#include "cifs_unicode.h"
  16#include "cifs_debug.h"
  17#include "ntlmssp.h"
  18#include "nterr.h"
  19#include <linux/utsname.h>
  20#include <linux/slab.h>
  21#include "cifs_spnego.h"
  22#include "smb2proto.h"
  23#include "fs_context.h"
  24
  25static int
  26cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses,
  27                     struct cifs_server_iface *iface);
  28
  29bool
  30is_server_using_iface(struct TCP_Server_Info *server,
  31                      struct cifs_server_iface *iface)
  32{
  33        struct sockaddr_in *i4 = (struct sockaddr_in *)&iface->sockaddr;
  34        struct sockaddr_in6 *i6 = (struct sockaddr_in6 *)&iface->sockaddr;
  35        struct sockaddr_in *s4 = (struct sockaddr_in *)&server->dstaddr;
  36        struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)&server->dstaddr;
  37
  38        if (server->dstaddr.ss_family != iface->sockaddr.ss_family)
  39                return false;
  40        if (server->dstaddr.ss_family == AF_INET) {
  41                if (s4->sin_addr.s_addr != i4->sin_addr.s_addr)
  42                        return false;
  43        } else if (server->dstaddr.ss_family == AF_INET6) {
  44                if (memcmp(&s6->sin6_addr, &i6->sin6_addr,
  45                           sizeof(i6->sin6_addr)) != 0)
  46                        return false;
  47        } else {
  48                /* unknown family.. */
  49                return false;
  50        }
  51        return true;
  52}
  53
  54bool is_ses_using_iface(struct cifs_ses *ses, struct cifs_server_iface *iface)
  55{
  56        int i;
  57
  58        for (i = 0; i < ses->chan_count; i++) {
  59                if (is_server_using_iface(ses->chans[i].server, iface))
  60                        return true;
  61        }
  62        return false;
  63}
  64
  65/* returns number of channels added */
  66int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses)
  67{
  68        int old_chan_count = ses->chan_count;
  69        int left = ses->chan_max - ses->chan_count;
  70        int i = 0;
  71        int rc = 0;
  72        int tries = 0;
  73        struct cifs_server_iface *ifaces = NULL;
  74        size_t iface_count;
  75
  76        if (left <= 0) {
  77                cifs_dbg(FYI,
  78                         "ses already at max_channels (%zu), nothing to open\n",
  79                         ses->chan_max);
  80                return 0;
  81        }
  82
  83        if (ses->server->dialect < SMB30_PROT_ID) {
  84                cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
  85                return 0;
  86        }
  87
  88        if (!(ses->server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
  89                cifs_dbg(VFS, "server %s does not support multichannel\n", ses->server->hostname);
  90                ses->chan_max = 1;
  91                return 0;
  92        }
  93
  94        /*
  95         * Make a copy of the iface list at the time and use that
  96         * instead so as to not hold the iface spinlock for opening
  97         * channels
  98         */
  99        spin_lock(&ses->iface_lock);
 100        iface_count = ses->iface_count;
 101        if (iface_count <= 0) {
 102                spin_unlock(&ses->iface_lock);
 103                cifs_dbg(VFS, "no iface list available to open channels\n");
 104                return 0;
 105        }
 106        ifaces = kmemdup(ses->iface_list, iface_count*sizeof(*ifaces),
 107                         GFP_ATOMIC);
 108        if (!ifaces) {
 109                spin_unlock(&ses->iface_lock);
 110                return 0;
 111        }
 112        spin_unlock(&ses->iface_lock);
 113
 114        /*
 115         * Keep connecting to same, fastest, iface for all channels as
 116         * long as its RSS. Try next fastest one if not RSS or channel
 117         * creation fails.
 118         */
 119        while (left > 0) {
 120                struct cifs_server_iface *iface;
 121
 122                tries++;
 123                if (tries > 3*ses->chan_max) {
 124                        cifs_dbg(FYI, "too many channel open attempts (%d channels left to open)\n",
 125                                 left);
 126                        break;
 127                }
 128
 129                iface = &ifaces[i];
 130                if (is_ses_using_iface(ses, iface) && !iface->rss_capable) {
 131                        i = (i+1) % iface_count;
 132                        continue;
 133                }
 134
 135                rc = cifs_ses_add_channel(cifs_sb, ses, iface);
 136                if (rc) {
 137                        cifs_dbg(FYI, "failed to open extra channel on iface#%d rc=%d\n",
 138                                 i, rc);
 139                        i = (i+1) % iface_count;
 140                        continue;
 141                }
 142
 143                cifs_dbg(FYI, "successfully opened new channel on iface#%d\n",
 144                         i);
 145                left--;
 146        }
 147
 148        kfree(ifaces);
 149        return ses->chan_count - old_chan_count;
 150}
 151
 152/*
 153 * If server is a channel of ses, return the corresponding enclosing
 154 * cifs_chan otherwise return NULL.
 155 */
 156struct cifs_chan *
 157cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server)
 158{
 159        int i;
 160
 161        for (i = 0; i < ses->chan_count; i++) {
 162                if (ses->chans[i].server == server)
 163                        return &ses->chans[i];
 164        }
 165        return NULL;
 166}
 167
 168static int
 169cifs_ses_add_channel(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses,
 170                     struct cifs_server_iface *iface)
 171{
 172        struct cifs_chan *chan;
 173        struct smb3_fs_context ctx = {NULL};
 174        static const char unc_fmt[] = "\\%s\\foo";
 175        char unc[sizeof(unc_fmt)+SERVER_NAME_LEN_WITH_NULL] = {0};
 176        struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
 177        struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
 178        int rc;
 179        unsigned int xid = get_xid();
 180
 181        if (iface->sockaddr.ss_family == AF_INET)
 182                cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
 183                         ses, iface->speed, iface->rdma_capable ? "yes" : "no",
 184                         &ipv4->sin_addr);
 185        else
 186                cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
 187                         ses, iface->speed, iface->rdma_capable ? "yes" : "no",
 188                         &ipv6->sin6_addr);
 189
 190        /*
 191         * Setup a ctx with mostly the same info as the existing
 192         * session and overwrite it with the requested iface data.
 193         *
 194         * We need to setup at least the fields used for negprot and
 195         * sesssetup.
 196         *
 197         * We only need the ctx here, so we can reuse memory from
 198         * the session and server without caring about memory
 199         * management.
 200         */
 201
 202        /* Always make new connection for now (TODO?) */
 203        ctx.nosharesock = true;
 204
 205        /* Auth */
 206        ctx.domainauto = ses->domainAuto;
 207        ctx.domainname = ses->domainName;
 208        ctx.username = ses->user_name;
 209        ctx.password = ses->password;
 210        ctx.sectype = ses->sectype;
 211        ctx.sign = ses->sign;
 212
 213        /* UNC and paths */
 214        /* XXX: Use ses->server->hostname? */
 215        sprintf(unc, unc_fmt, ses->ip_addr);
 216        ctx.UNC = unc;
 217        ctx.prepath = "";
 218
 219        /* Reuse same version as master connection */
 220        ctx.vals = ses->server->vals;
 221        ctx.ops = ses->server->ops;
 222
 223        ctx.noblocksnd = ses->server->noblocksnd;
 224        ctx.noautotune = ses->server->noautotune;
 225        ctx.sockopt_tcp_nodelay = ses->server->tcp_nodelay;
 226        ctx.echo_interval = ses->server->echo_interval / HZ;
 227        ctx.max_credits = ses->server->max_credits;
 228
 229        /*
 230         * This will be used for encoding/decoding user/domain/pw
 231         * during sess setup auth.
 232         */
 233        ctx.local_nls = cifs_sb->local_nls;
 234
 235        /* Use RDMA if possible */
 236        ctx.rdma = iface->rdma_capable;
 237        memcpy(&ctx.dstaddr, &iface->sockaddr, sizeof(struct sockaddr_storage));
 238
 239        /* reuse master con client guid */
 240        memcpy(&ctx.client_guid, ses->server->client_guid,
 241               SMB2_CLIENT_GUID_SIZE);
 242        ctx.use_client_guid = true;
 243
 244        mutex_lock(&ses->session_mutex);
 245
 246        chan = ses->binding_chan = &ses->chans[ses->chan_count];
 247        chan->server = cifs_get_tcp_session(&ctx);
 248        if (IS_ERR(chan->server)) {
 249                rc = PTR_ERR(chan->server);
 250                chan->server = NULL;
 251                goto out;
 252        }
 253        spin_lock(&cifs_tcp_ses_lock);
 254        chan->server->is_channel = true;
 255        spin_unlock(&cifs_tcp_ses_lock);
 256
 257        /*
 258         * We need to allocate the server crypto now as we will need
 259         * to sign packets before we generate the channel signing key
 260         * (we sign with the session key)
 261         */
 262        rc = smb311_crypto_shash_allocate(chan->server);
 263        if (rc) {
 264                cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
 265                goto out;
 266        }
 267
 268        ses->binding = true;
 269        rc = cifs_negotiate_protocol(xid, ses);
 270        if (rc)
 271                goto out;
 272
 273        rc = cifs_setup_session(xid, ses, cifs_sb->local_nls);
 274        if (rc)
 275                goto out;
 276
 277        /* success, put it on the list
 278         * XXX: sharing ses between 2 tcp servers is not possible, the
 279         * way "internal" linked lists works in linux makes element
 280         * only able to belong to one list
 281         *
 282         * the binding session is already established so the rest of
 283         * the code should be able to look it up, no need to add the
 284         * ses to the new server.
 285         */
 286
 287        ses->chan_count++;
 288        atomic_set(&ses->chan_seq, 0);
 289out:
 290        ses->binding = false;
 291        ses->binding_chan = NULL;
 292        mutex_unlock(&ses->session_mutex);
 293
 294        if (rc && chan->server)
 295                cifs_put_tcp_session(chan->server, 0);
 296
 297        return rc;
 298}
 299
 300static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
 301{
 302        __u32 capabilities = 0;
 303
 304        /* init fields common to all four types of SessSetup */
 305        /* Note that offsets for first seven fields in req struct are same  */
 306        /*      in CIFS Specs so does not matter which of 3 forms of struct */
 307        /*      that we use in next few lines                               */
 308        /* Note that header is initialized to zero in header_assemble */
 309        pSMB->req.AndXCommand = 0xFF;
 310        pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
 311                                        CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
 312                                        USHRT_MAX));
 313        pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
 314        pSMB->req.VcNumber = cpu_to_le16(1);
 315
 316        /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
 317
 318        /* BB verify whether signing required on neg or just on auth frame
 319           (and NTLM case) */
 320
 321        capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
 322                        CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
 323
 324        if (ses->server->sign)
 325                pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
 326
 327        if (ses->capabilities & CAP_UNICODE) {
 328                pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
 329                capabilities |= CAP_UNICODE;
 330        }
 331        if (ses->capabilities & CAP_STATUS32) {
 332                pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
 333                capabilities |= CAP_STATUS32;
 334        }
 335        if (ses->capabilities & CAP_DFS) {
 336                pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
 337                capabilities |= CAP_DFS;
 338        }
 339        if (ses->capabilities & CAP_UNIX)
 340                capabilities |= CAP_UNIX;
 341
 342        return capabilities;
 343}
 344
 345static void
 346unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
 347{
 348        char *bcc_ptr = *pbcc_area;
 349        int bytes_ret = 0;
 350
 351        /* Copy OS version */
 352        bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
 353                                    nls_cp);
 354        bcc_ptr += 2 * bytes_ret;
 355        bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
 356                                    32, nls_cp);
 357        bcc_ptr += 2 * bytes_ret;
 358        bcc_ptr += 2; /* trailing null */
 359
 360        bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
 361                                    32, nls_cp);
 362        bcc_ptr += 2 * bytes_ret;
 363        bcc_ptr += 2; /* trailing null */
 364
 365        *pbcc_area = bcc_ptr;
 366}
 367
 368static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
 369                                   const struct nls_table *nls_cp)
 370{
 371        char *bcc_ptr = *pbcc_area;
 372        int bytes_ret = 0;
 373
 374        /* copy domain */
 375        if (ses->domainName == NULL) {
 376                /* Sending null domain better than using a bogus domain name (as
 377                we did briefly in 2.6.18) since server will use its default */
 378                *bcc_ptr = 0;
 379                *(bcc_ptr+1) = 0;
 380                bytes_ret = 0;
 381        } else
 382                bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
 383                                            CIFS_MAX_DOMAINNAME_LEN, nls_cp);
 384        bcc_ptr += 2 * bytes_ret;
 385        bcc_ptr += 2;  /* account for null terminator */
 386
 387        *pbcc_area = bcc_ptr;
 388}
 389
 390
 391static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
 392                                   const struct nls_table *nls_cp)
 393{
 394        char *bcc_ptr = *pbcc_area;
 395        int bytes_ret = 0;
 396
 397        /* BB FIXME add check that strings total less
 398        than 335 or will need to send them as arrays */
 399
 400        /* unicode strings, must be word aligned before the call */
 401/*      if ((long) bcc_ptr % 2) {
 402                *bcc_ptr = 0;
 403                bcc_ptr++;
 404        } */
 405        /* copy user */
 406        if (ses->user_name == NULL) {
 407                /* null user mount */
 408                *bcc_ptr = 0;
 409                *(bcc_ptr+1) = 0;
 410        } else {
 411                bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
 412                                            CIFS_MAX_USERNAME_LEN, nls_cp);
 413        }
 414        bcc_ptr += 2 * bytes_ret;
 415        bcc_ptr += 2; /* account for null termination */
 416
 417        unicode_domain_string(&bcc_ptr, ses, nls_cp);
 418        unicode_oslm_strings(&bcc_ptr, nls_cp);
 419
 420        *pbcc_area = bcc_ptr;
 421}
 422
 423static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
 424                                 const struct nls_table *nls_cp)
 425{
 426        char *bcc_ptr = *pbcc_area;
 427        int len;
 428
 429        /* copy user */
 430        /* BB what about null user mounts - check that we do this BB */
 431        /* copy user */
 432        if (ses->user_name != NULL) {
 433                len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
 434                if (WARN_ON_ONCE(len < 0))
 435                        len = CIFS_MAX_USERNAME_LEN - 1;
 436                bcc_ptr += len;
 437        }
 438        /* else null user mount */
 439        *bcc_ptr = 0;
 440        bcc_ptr++; /* account for null termination */
 441
 442        /* copy domain */
 443        if (ses->domainName != NULL) {
 444                len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
 445                if (WARN_ON_ONCE(len < 0))
 446                        len = CIFS_MAX_DOMAINNAME_LEN - 1;
 447                bcc_ptr += len;
 448        } /* else we will send a null domain name
 449             so the server will default to its own domain */
 450        *bcc_ptr = 0;
 451        bcc_ptr++;
 452
 453        /* BB check for overflow here */
 454
 455        strcpy(bcc_ptr, "Linux version ");
 456        bcc_ptr += strlen("Linux version ");
 457        strcpy(bcc_ptr, init_utsname()->release);
 458        bcc_ptr += strlen(init_utsname()->release) + 1;
 459
 460        strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
 461        bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
 462
 463        *pbcc_area = bcc_ptr;
 464}
 465
 466static void
 467decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
 468                      const struct nls_table *nls_cp)
 469{
 470        int len;
 471        char *data = *pbcc_area;
 472
 473        cifs_dbg(FYI, "bleft %d\n", bleft);
 474
 475        kfree(ses->serverOS);
 476        ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
 477        cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
 478        len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
 479        data += len;
 480        bleft -= len;
 481        if (bleft <= 0)
 482                return;
 483
 484        kfree(ses->serverNOS);
 485        ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
 486        cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
 487        len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
 488        data += len;
 489        bleft -= len;
 490        if (bleft <= 0)
 491                return;
 492
 493        kfree(ses->serverDomain);
 494        ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
 495        cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
 496
 497        return;
 498}
 499
 500static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
 501                                struct cifs_ses *ses,
 502                                const struct nls_table *nls_cp)
 503{
 504        int len;
 505        char *bcc_ptr = *pbcc_area;
 506
 507        cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
 508
 509        len = strnlen(bcc_ptr, bleft);
 510        if (len >= bleft)
 511                return;
 512
 513        kfree(ses->serverOS);
 514
 515        ses->serverOS = kmalloc(len + 1, GFP_KERNEL);
 516        if (ses->serverOS) {
 517                memcpy(ses->serverOS, bcc_ptr, len);
 518                ses->serverOS[len] = 0;
 519                if (strncmp(ses->serverOS, "OS/2", 4) == 0)
 520                        cifs_dbg(FYI, "OS/2 server\n");
 521        }
 522
 523        bcc_ptr += len + 1;
 524        bleft -= len + 1;
 525
 526        len = strnlen(bcc_ptr, bleft);
 527        if (len >= bleft)
 528                return;
 529
 530        kfree(ses->serverNOS);
 531
 532        ses->serverNOS = kmalloc(len + 1, GFP_KERNEL);
 533        if (ses->serverNOS) {
 534                memcpy(ses->serverNOS, bcc_ptr, len);
 535                ses->serverNOS[len] = 0;
 536        }
 537
 538        bcc_ptr += len + 1;
 539        bleft -= len + 1;
 540
 541        len = strnlen(bcc_ptr, bleft);
 542        if (len > bleft)
 543                return;
 544
 545        /* No domain field in LANMAN case. Domain is
 546           returned by old servers in the SMB negprot response */
 547        /* BB For newer servers which do not support Unicode,
 548           but thus do return domain here we could add parsing
 549           for it later, but it is not very important */
 550        cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
 551}
 552
 553int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
 554                                    struct cifs_ses *ses)
 555{
 556        unsigned int tioffset; /* challenge message target info area */
 557        unsigned int tilen; /* challenge message target info area length  */
 558
 559        CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
 560
 561        if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
 562                cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
 563                return -EINVAL;
 564        }
 565
 566        if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
 567                cifs_dbg(VFS, "blob signature incorrect %s\n",
 568                         pblob->Signature);
 569                return -EINVAL;
 570        }
 571        if (pblob->MessageType != NtLmChallenge) {
 572                cifs_dbg(VFS, "Incorrect message type %d\n",
 573                         pblob->MessageType);
 574                return -EINVAL;
 575        }
 576
 577        memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
 578        /* BB we could decode pblob->NegotiateFlags; some may be useful */
 579        /* In particular we can examine sign flags */
 580        /* BB spec says that if AvId field of MsvAvTimestamp is populated then
 581                we must set the MIC field of the AUTHENTICATE_MESSAGE */
 582        ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
 583        tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
 584        tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
 585        if (tioffset > blob_len || tioffset + tilen > blob_len) {
 586                cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
 587                         tioffset, tilen);
 588                return -EINVAL;
 589        }
 590        if (tilen) {
 591                ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
 592                                                 GFP_KERNEL);
 593                if (!ses->auth_key.response) {
 594                        cifs_dbg(VFS, "Challenge target info alloc failure\n");
 595                        return -ENOMEM;
 596                }
 597                ses->auth_key.len = tilen;
 598        }
 599
 600        return 0;
 601}
 602
 603/* BB Move to ntlmssp.c eventually */
 604
 605/* We do not malloc the blob, it is passed in pbuffer, because
 606   it is fixed size, and small, making this approach cleaner */
 607void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
 608                                         struct cifs_ses *ses)
 609{
 610        struct TCP_Server_Info *server = cifs_ses_server(ses);
 611        NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
 612        __u32 flags;
 613
 614        memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
 615        memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
 616        sec_blob->MessageType = NtLmNegotiate;
 617
 618        /* BB is NTLMV2 session security format easier to use here? */
 619        flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
 620                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
 621                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
 622                NTLMSSP_NEGOTIATE_SEAL;
 623        if (server->sign)
 624                flags |= NTLMSSP_NEGOTIATE_SIGN;
 625        if (!server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
 626                flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 627
 628        sec_blob->NegotiateFlags = cpu_to_le32(flags);
 629
 630        sec_blob->WorkstationName.BufferOffset = 0;
 631        sec_blob->WorkstationName.Length = 0;
 632        sec_blob->WorkstationName.MaximumLength = 0;
 633
 634        /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
 635        sec_blob->DomainName.BufferOffset = 0;
 636        sec_blob->DomainName.Length = 0;
 637        sec_blob->DomainName.MaximumLength = 0;
 638}
 639
 640static int size_of_ntlmssp_blob(struct cifs_ses *ses)
 641{
 642        int sz = sizeof(AUTHENTICATE_MESSAGE) + ses->auth_key.len
 643                - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
 644
 645        if (ses->domainName)
 646                sz += 2 * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
 647        else
 648                sz += 2;
 649
 650        if (ses->user_name)
 651                sz += 2 * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
 652        else
 653                sz += 2;
 654
 655        return sz;
 656}
 657
 658int build_ntlmssp_auth_blob(unsigned char **pbuffer,
 659                                        u16 *buflen,
 660                                   struct cifs_ses *ses,
 661                                   const struct nls_table *nls_cp)
 662{
 663        int rc;
 664        AUTHENTICATE_MESSAGE *sec_blob;
 665        __u32 flags;
 666        unsigned char *tmp;
 667
 668        rc = setup_ntlmv2_rsp(ses, nls_cp);
 669        if (rc) {
 670                cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
 671                *buflen = 0;
 672                goto setup_ntlmv2_ret;
 673        }
 674        *pbuffer = kmalloc(size_of_ntlmssp_blob(ses), GFP_KERNEL);
 675        if (!*pbuffer) {
 676                rc = -ENOMEM;
 677                cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
 678                *buflen = 0;
 679                goto setup_ntlmv2_ret;
 680        }
 681        sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
 682
 683        memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
 684        sec_blob->MessageType = NtLmAuthenticate;
 685
 686        flags = NTLMSSP_NEGOTIATE_56 |
 687                NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
 688                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
 689                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
 690                NTLMSSP_NEGOTIATE_SEAL;
 691        if (ses->server->sign)
 692                flags |= NTLMSSP_NEGOTIATE_SIGN;
 693        if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
 694                flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 695
 696        tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
 697        sec_blob->NegotiateFlags = cpu_to_le32(flags);
 698
 699        sec_blob->LmChallengeResponse.BufferOffset =
 700                                cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
 701        sec_blob->LmChallengeResponse.Length = 0;
 702        sec_blob->LmChallengeResponse.MaximumLength = 0;
 703
 704        sec_blob->NtChallengeResponse.BufferOffset =
 705                                cpu_to_le32(tmp - *pbuffer);
 706        if (ses->user_name != NULL) {
 707                memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
 708                                ses->auth_key.len - CIFS_SESS_KEY_SIZE);
 709                tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
 710
 711                sec_blob->NtChallengeResponse.Length =
 712                                cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
 713                sec_blob->NtChallengeResponse.MaximumLength =
 714                                cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
 715        } else {
 716                /*
 717                 * don't send an NT Response for anonymous access
 718                 */
 719                sec_blob->NtChallengeResponse.Length = 0;
 720                sec_blob->NtChallengeResponse.MaximumLength = 0;
 721        }
 722
 723        if (ses->domainName == NULL) {
 724                sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 725                sec_blob->DomainName.Length = 0;
 726                sec_blob->DomainName.MaximumLength = 0;
 727                tmp += 2;
 728        } else {
 729                int len;
 730                len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
 731                                      CIFS_MAX_DOMAINNAME_LEN, nls_cp);
 732                len *= 2; /* unicode is 2 bytes each */
 733                sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 734                sec_blob->DomainName.Length = cpu_to_le16(len);
 735                sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
 736                tmp += len;
 737        }
 738
 739        if (ses->user_name == NULL) {
 740                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 741                sec_blob->UserName.Length = 0;
 742                sec_blob->UserName.MaximumLength = 0;
 743                tmp += 2;
 744        } else {
 745                int len;
 746                len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name,
 747                                      CIFS_MAX_USERNAME_LEN, nls_cp);
 748                len *= 2; /* unicode is 2 bytes each */
 749                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 750                sec_blob->UserName.Length = cpu_to_le16(len);
 751                sec_blob->UserName.MaximumLength = cpu_to_le16(len);
 752                tmp += len;
 753        }
 754
 755        sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 756        sec_blob->WorkstationName.Length = 0;
 757        sec_blob->WorkstationName.MaximumLength = 0;
 758        tmp += 2;
 759
 760        if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
 761                (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
 762                        && !calc_seckey(ses)) {
 763                memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
 764                sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 765                sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
 766                sec_blob->SessionKey.MaximumLength =
 767                                cpu_to_le16(CIFS_CPHTXT_SIZE);
 768                tmp += CIFS_CPHTXT_SIZE;
 769        } else {
 770                sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
 771                sec_blob->SessionKey.Length = 0;
 772                sec_blob->SessionKey.MaximumLength = 0;
 773        }
 774
 775        *buflen = tmp - *pbuffer;
 776setup_ntlmv2_ret:
 777        return rc;
 778}
 779
 780enum securityEnum
 781cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
 782{
 783        switch (server->negflavor) {
 784        case CIFS_NEGFLAVOR_EXTENDED:
 785                switch (requested) {
 786                case Kerberos:
 787                case RawNTLMSSP:
 788                        return requested;
 789                case Unspecified:
 790                        if (server->sec_ntlmssp &&
 791                            (global_secflags & CIFSSEC_MAY_NTLMSSP))
 792                                return RawNTLMSSP;
 793                        if ((server->sec_kerberos || server->sec_mskerberos) &&
 794                            (global_secflags & CIFSSEC_MAY_KRB5))
 795                                return Kerberos;
 796                        fallthrough;
 797                default:
 798                        return Unspecified;
 799                }
 800        case CIFS_NEGFLAVOR_UNENCAP:
 801                switch (requested) {
 802                case NTLM:
 803                case NTLMv2:
 804                        return requested;
 805                case Unspecified:
 806                        if (global_secflags & CIFSSEC_MAY_NTLMV2)
 807                                return NTLMv2;
 808                        if (global_secflags & CIFSSEC_MAY_NTLM)
 809                                return NTLM;
 810                        break;
 811                default:
 812                        break;
 813                }
 814                fallthrough;    /* to attempt LANMAN authentication next */
 815        case CIFS_NEGFLAVOR_LANMAN:
 816                switch (requested) {
 817                case LANMAN:
 818                        return requested;
 819                case Unspecified:
 820                        if (global_secflags & CIFSSEC_MAY_LANMAN)
 821                                return LANMAN;
 822                        fallthrough;
 823                default:
 824                        return Unspecified;
 825                }
 826        default:
 827                return Unspecified;
 828        }
 829}
 830
 831struct sess_data {
 832        unsigned int xid;
 833        struct cifs_ses *ses;
 834        struct nls_table *nls_cp;
 835        void (*func)(struct sess_data *);
 836        int result;
 837
 838        /* we will send the SMB in three pieces:
 839         * a fixed length beginning part, an optional
 840         * SPNEGO blob (which can be zero length), and a
 841         * last part which will include the strings
 842         * and rest of bcc area. This allows us to avoid
 843         * a large buffer 17K allocation
 844         */
 845        int buf0_type;
 846        struct kvec iov[3];
 847};
 848
 849static int
 850sess_alloc_buffer(struct sess_data *sess_data, int wct)
 851{
 852        int rc;
 853        struct cifs_ses *ses = sess_data->ses;
 854        struct smb_hdr *smb_buf;
 855
 856        rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
 857                                  (void **)&smb_buf);
 858
 859        if (rc)
 860                return rc;
 861
 862        sess_data->iov[0].iov_base = (char *)smb_buf;
 863        sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
 864        /*
 865         * This variable will be used to clear the buffer
 866         * allocated above in case of any error in the calling function.
 867         */
 868        sess_data->buf0_type = CIFS_SMALL_BUFFER;
 869
 870        /* 2000 big enough to fit max user, domain, NOS name etc. */
 871        sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL);
 872        if (!sess_data->iov[2].iov_base) {
 873                rc = -ENOMEM;
 874                goto out_free_smb_buf;
 875        }
 876
 877        return 0;
 878
 879out_free_smb_buf:
 880        kfree(smb_buf);
 881        sess_data->iov[0].iov_base = NULL;
 882        sess_data->iov[0].iov_len = 0;
 883        sess_data->buf0_type = CIFS_NO_BUFFER;
 884        return rc;
 885}
 886
 887static void
 888sess_free_buffer(struct sess_data *sess_data)
 889{
 890
 891        free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
 892        sess_data->buf0_type = CIFS_NO_BUFFER;
 893        kfree(sess_data->iov[2].iov_base);
 894}
 895
 896static int
 897sess_establish_session(struct sess_data *sess_data)
 898{
 899        struct cifs_ses *ses = sess_data->ses;
 900
 901        mutex_lock(&ses->server->srv_mutex);
 902        if (!ses->server->session_estab) {
 903                if (ses->server->sign) {
 904                        ses->server->session_key.response =
 905                                kmemdup(ses->auth_key.response,
 906                                ses->auth_key.len, GFP_KERNEL);
 907                        if (!ses->server->session_key.response) {
 908                                mutex_unlock(&ses->server->srv_mutex);
 909                                return -ENOMEM;
 910                        }
 911                        ses->server->session_key.len =
 912                                                ses->auth_key.len;
 913                }
 914                ses->server->sequence_number = 0x2;
 915                ses->server->session_estab = true;
 916        }
 917        mutex_unlock(&ses->server->srv_mutex);
 918
 919        cifs_dbg(FYI, "CIFS session established successfully\n");
 920        spin_lock(&GlobalMid_Lock);
 921        ses->status = CifsGood;
 922        ses->need_reconnect = false;
 923        spin_unlock(&GlobalMid_Lock);
 924
 925        return 0;
 926}
 927
 928static int
 929sess_sendreceive(struct sess_data *sess_data)
 930{
 931        int rc;
 932        struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base;
 933        __u16 count;
 934        struct kvec rsp_iov = { NULL, 0 };
 935
 936        count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len;
 937        be32_add_cpu(&smb_buf->smb_buf_length, count);
 938        put_bcc(count, smb_buf);
 939
 940        rc = SendReceive2(sess_data->xid, sess_data->ses,
 941                          sess_data->iov, 3 /* num_iovecs */,
 942                          &sess_data->buf0_type,
 943                          CIFS_LOG_ERROR, &rsp_iov);
 944        cifs_small_buf_release(sess_data->iov[0].iov_base);
 945        memcpy(&sess_data->iov[0], &rsp_iov, sizeof(struct kvec));
 946
 947        return rc;
 948}
 949
 950/*
 951 * LANMAN and plaintext are less secure and off by default.
 952 * So we make this explicitly be turned on in kconfig (in the
 953 * build) and turned on at runtime (changed from the default)
 954 * in proc/fs/cifs or via mount parm.  Unfortunately this is
 955 * needed for old Win (e.g. Win95), some obscure NAS and OS/2
 956 */
 957#ifdef CONFIG_CIFS_WEAK_PW_HASH
 958static void
 959sess_auth_lanman(struct sess_data *sess_data)
 960{
 961        int rc = 0;
 962        struct smb_hdr *smb_buf;
 963        SESSION_SETUP_ANDX *pSMB;
 964        char *bcc_ptr;
 965        struct cifs_ses *ses = sess_data->ses;
 966        char lnm_session_key[CIFS_AUTH_RESP_SIZE];
 967        __u16 bytes_remaining;
 968
 969        /* lanman 2 style sessionsetup */
 970        /* wct = 10 */
 971        rc = sess_alloc_buffer(sess_data, 10);
 972        if (rc)
 973                goto out;
 974
 975        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
 976        bcc_ptr = sess_data->iov[2].iov_base;
 977        (void)cifs_ssetup_hdr(ses, pSMB);
 978
 979        pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
 980
 981        if (ses->user_name != NULL) {
 982                /* no capabilities flags in old lanman negotiation */
 983                pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
 984
 985                /* Calculate hash with password and copy into bcc_ptr.
 986                 * Encryption Key (stored as in cryptkey) gets used if the
 987                 * security mode bit in Negotiate Protocol response states
 988                 * to use challenge/response method (i.e. Password bit is 1).
 989                 */
 990                rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
 991                                      ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
 992                                      true : false, lnm_session_key);
 993                if (rc)
 994                        goto out;
 995
 996                memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
 997                bcc_ptr += CIFS_AUTH_RESP_SIZE;
 998        } else {
 999                pSMB->old_req.PasswordLength = 0;
1000        }

1001
1002        /*
1003         * can not sign if LANMAN negotiated so no need
1004         * to calculate signing key? but what if server
1005         * changed to do higher than lanman dialect and
1006         * we reconnected would we ever calc signing_key?
1007         */
1008
1009        cifs_dbg(FYI, "Negotiating LANMAN setting up strings\n");
1010        /* Unicode not allowed for LANMAN dialects */
1011        ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1012
1013        sess_data->iov[2].iov_len = (long) bcc_ptr -
1014                        (long) sess_data->iov[2].iov_base;
1015
1016        rc = sess_sendreceive(sess_data);
1017        if (rc)
1018                goto out;
1019
1020        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1021        smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1022
1023        /* lanman response has a word count of 3 */
1024        if (smb_buf->WordCount != 3) {
1025                rc = -EIO;
1026                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1027                goto out;
1028        }
1029
1030        if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1031                cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1032
1033        ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1034        cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1035
1036        bytes_remaining = get_bcc(smb_buf);
1037        bcc_ptr = pByteArea(smb_buf);
1038
1039        /* BB check if Unicode and decode strings */
1040        if (bytes_remaining == 0) {
1041                /* no string area to decode, do nothing */
1042        } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1043                /* unicode string area must be word-aligned */
1044                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1045                        ++bcc_ptr;
1046                        --bytes_remaining;
1047                }
1048                decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1049                                      sess_data->nls_cp);
1050        } else {
1051                decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1052                                    sess_data->nls_cp);
1053        }
1054
1055        rc = sess_establish_session(sess_data);
1056out:
1057        sess_data->result = rc;
1058        sess_data->func = NULL;
1059        sess_free_buffer(sess_data);
1060}
1061
1062#endif
1063
1064static void
1065sess_auth_ntlm(struct sess_data *sess_data)
1066{
1067        int rc = 0;
1068        struct smb_hdr *smb_buf;
1069        SESSION_SETUP_ANDX *pSMB;
1070        char *bcc_ptr;
1071        struct cifs_ses *ses = sess_data->ses;
1072        __u32 capabilities;
1073        __u16 bytes_remaining;
1074
1075        /* old style NTLM sessionsetup */
1076        /* wct = 13 */
1077        rc = sess_alloc_buffer(sess_data, 13);
1078        if (rc)
1079                goto out;
1080
1081        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1082        bcc_ptr = sess_data->iov[2].iov_base;
1083        capabilities = cifs_ssetup_hdr(ses, pSMB);
1084
1085        pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1086        if (ses->user_name != NULL) {
1087                pSMB->req_no_secext.CaseInsensitivePasswordLength =
1088                                cpu_to_le16(CIFS_AUTH_RESP_SIZE);
1089                pSMB->req_no_secext.CaseSensitivePasswordLength =
1090                                cpu_to_le16(CIFS_AUTH_RESP_SIZE);
1091
1092                /* calculate ntlm response and session key */
1093                rc = setup_ntlm_response(ses, sess_data->nls_cp);
1094                if (rc) {
1095                        cifs_dbg(VFS, "Error %d during NTLM authentication\n",
1096                                         rc);
1097                        goto out;
1098                }
1099
1100                /* copy ntlm response */
1101                memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1102                                CIFS_AUTH_RESP_SIZE);
1103                bcc_ptr += CIFS_AUTH_RESP_SIZE;
1104                memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1105                                CIFS_AUTH_RESP_SIZE);
1106                bcc_ptr += CIFS_AUTH_RESP_SIZE;
1107        } else {
1108                pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
1109                pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
1110        }
1111
1112        if (ses->capabilities & CAP_UNICODE) {
1113                /* unicode strings must be word aligned */
1114                if (sess_data->iov[0].iov_len % 2) {
1115                        *bcc_ptr = 0;
1116                        bcc_ptr++;
1117                }
1118                unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1119        } else {
1120                ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1121        }
1122
1123
1124        sess_data->iov[2].iov_len = (long) bcc_ptr -
1125                        (long) sess_data->iov[2].iov_base;
1126
1127        rc = sess_sendreceive(sess_data);
1128        if (rc)
1129                goto out;
1130
1131        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1132        smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1133
1134        if (smb_buf->WordCount != 3) {
1135                rc = -EIO;
1136                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1137                goto out;
1138        }
1139
1140        if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1141                cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1142
1143        ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1144        cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1145
1146        bytes_remaining = get_bcc(smb_buf);
1147        bcc_ptr = pByteArea(smb_buf);
1148
1149        /* BB check if Unicode and decode strings */
1150        if (bytes_remaining == 0) {
1151                /* no string area to decode, do nothing */
1152        } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1153                /* unicode string area must be word-aligned */
1154                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1155                        ++bcc_ptr;
1156                        --bytes_remaining;
1157                }
1158                decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1159                                      sess_data->nls_cp);
1160        } else {
1161                decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1162                                    sess_data->nls_cp);
1163        }
1164
1165        rc = sess_establish_session(sess_data);
1166out:
1167        sess_data->result = rc;
1168        sess_data->func = NULL;
1169        sess_free_buffer(sess_data);
1170        kfree(ses->auth_key.response);
1171        ses->auth_key.response = NULL;
1172}
1173
1174static void
1175sess_auth_ntlmv2(struct sess_data *sess_data)
1176{
1177        int rc = 0;
1178        struct smb_hdr *smb_buf;
1179        SESSION_SETUP_ANDX *pSMB;
1180        char *bcc_ptr;
1181        struct cifs_ses *ses = sess_data->ses;
1182        __u32 capabilities;
1183        __u16 bytes_remaining;
1184
1185        /* old style NTLM sessionsetup */
1186        /* wct = 13 */
1187        rc = sess_alloc_buffer(sess_data, 13);
1188        if (rc)
1189                goto out;
1190
1191        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1192        bcc_ptr = sess_data->iov[2].iov_base;
1193        capabilities = cifs_ssetup_hdr(ses, pSMB);
1194
1195        pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1196
1197        /* LM2 password would be here if we supported it */
1198        pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
1199
1200        if (ses->user_name != NULL) {
1201                /* calculate nlmv2 response and session key */
1202                rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
1203                if (rc) {
1204                        cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
1205                        goto out;
1206                }
1207
1208                memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1209                                ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1210                bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1211
1212                /* set case sensitive password length after tilen may get
1213                 * assigned, tilen is 0 otherwise.
1214                 */
1215                pSMB->req_no_secext.CaseSensitivePasswordLength =
1216                        cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1217        } else {
1218                pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
1219        }
1220
1221        if (ses->capabilities & CAP_UNICODE) {
1222                if (sess_data->iov[0].iov_len % 2) {
1223                        *bcc_ptr = 0;
1224                        bcc_ptr++;
1225                }
1226                unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1227        } else {
1228                ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1229        }
1230
1231
1232        sess_data->iov[2].iov_len = (long) bcc_ptr -
1233                        (long) sess_data->iov[2].iov_base;
1234
1235        rc = sess_sendreceive(sess_data);
1236        if (rc)
1237                goto out;
1238
1239        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1240        smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1241
1242        if (smb_buf->WordCount != 3) {
1243                rc = -EIO;
1244                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1245                goto out;
1246        }
1247
1248        if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1249                cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1250
1251        ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1252        cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1253
1254        bytes_remaining = get_bcc(smb_buf);
1255        bcc_ptr = pByteArea(smb_buf);
1256
1257        /* BB check if Unicode and decode strings */
1258        if (bytes_remaining == 0) {
1259                /* no string area to decode, do nothing */
1260        } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1261                /* unicode string area must be word-aligned */
1262                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1263                        ++bcc_ptr;
1264                        --bytes_remaining;
1265                }
1266                decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1267                                      sess_data->nls_cp);
1268        } else {
1269                decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1270                                    sess_data->nls_cp);
1271        }
1272
1273        rc = sess_establish_session(sess_data);
1274out:
1275        sess_data->result = rc;
1276        sess_data->func = NULL;
1277        sess_free_buffer(sess_data);
1278        kfree(ses->auth_key.response);
1279        ses->auth_key.response = NULL;
1280}
1281
1282#ifdef CONFIG_CIFS_UPCALL
1283static void
1284sess_auth_kerberos(struct sess_data *sess_data)
1285{
1286        int rc = 0;
1287        struct smb_hdr *smb_buf;
1288        SESSION_SETUP_ANDX *pSMB;
1289        char *bcc_ptr;
1290        struct cifs_ses *ses = sess_data->ses;
1291        __u32 capabilities;
1292        __u16 bytes_remaining;
1293        struct key *spnego_key = NULL;
1294        struct cifs_spnego_msg *msg;
1295        u16 blob_len;
1296
1297        /* extended security */
1298        /* wct = 12 */
1299        rc = sess_alloc_buffer(sess_data, 12);
1300        if (rc)
1301                goto out;
1302
1303        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1304        bcc_ptr = sess_data->iov[2].iov_base;
1305        capabilities = cifs_ssetup_hdr(ses, pSMB);
1306
1307        spnego_key = cifs_get_spnego_key(ses);
1308        if (IS_ERR(spnego_key)) {
1309                rc = PTR_ERR(spnego_key);
1310                spnego_key = NULL;
1311                goto out;
1312        }
1313
1314        msg = spnego_key->payload.data[0];
1315        /*
1316         * check version field to make sure that cifs.upcall is
1317         * sending us a response in an expected form
1318         */
1319        if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
1320                cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n",
1321                         CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1322                rc = -EKEYREJECTED;
1323                goto out_put_spnego_key;
1324        }
1325
1326        ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1327                                         GFP_KERNEL);
1328        if (!ses->auth_key.response) {
1329                cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
1330                         msg->sesskey_len);
1331                rc = -ENOMEM;
1332                goto out_put_spnego_key;
1333        }
1334        ses->auth_key.len = msg->sesskey_len;
1335
1336        pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1337        capabilities |= CAP_EXTENDED_SECURITY;
1338        pSMB->req.Capabilities = cpu_to_le32(capabilities);
1339        sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
1340        sess_data->iov[1].iov_len = msg->secblob_len;
1341        pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
1342
1343        if (ses->capabilities & CAP_UNICODE) {
1344                /* unicode strings must be word aligned */
1345                if ((sess_data->iov[0].iov_len
1346                        + sess_data->iov[1].iov_len) % 2) {
1347                        *bcc_ptr = 0;
1348                        bcc_ptr++;
1349                }
1350                unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1351                unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1352        } else {
1353                /* BB: is this right? */
1354                ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1355        }
1356
1357        sess_data->iov[2].iov_len = (long) bcc_ptr -
1358                        (long) sess_data->iov[2].iov_base;
1359
1360        rc = sess_sendreceive(sess_data);
1361        if (rc)
1362                goto out_put_spnego_key;
1363
1364        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1365        smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1366
1367        if (smb_buf->WordCount != 4) {
1368                rc = -EIO;
1369                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1370                goto out_put_spnego_key;
1371        }
1372
1373        if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1374                cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1375
1376        ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1377        cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1378
1379        bytes_remaining = get_bcc(smb_buf);
1380        bcc_ptr = pByteArea(smb_buf);
1381
1382        blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1383        if (blob_len > bytes_remaining) {
1384                cifs_dbg(VFS, "bad security blob length %d\n",
1385                                blob_len);
1386                rc = -EINVAL;
1387                goto out_put_spnego_key;
1388        }
1389        bcc_ptr += blob_len;
1390        bytes_remaining -= blob_len;
1391
1392        /* BB check if Unicode and decode strings */
1393        if (bytes_remaining == 0) {
1394                /* no string area to decode, do nothing */
1395        } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1396                /* unicode string area must be word-aligned */
1397                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1398                        ++bcc_ptr;
1399                        --bytes_remaining;
1400                }
1401                decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1402                                      sess_data->nls_cp);
1403        } else {
1404                decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1405                                    sess_data->nls_cp);
1406        }
1407
1408        rc = sess_establish_session(sess_data);
1409out_put_spnego_key:
1410        key_invalidate(spnego_key);
1411        key_put(spnego_key);
1412out:
1413        sess_data->result = rc;
1414        sess_data->func = NULL;
1415        sess_free_buffer(sess_data);
1416        kfree(ses->auth_key.response);
1417        ses->auth_key.response = NULL;
1418}
1419
1420#endif /* ! CONFIG_CIFS_UPCALL */
1421
1422/*
1423 * The required kvec buffers have to be allocated before calling this
1424 * function.
1425 */
1426static int
1427_sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1428{
1429        SESSION_SETUP_ANDX *pSMB;
1430        struct cifs_ses *ses = sess_data->ses;
1431        __u32 capabilities;
1432        char *bcc_ptr;
1433
1434        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1435
1436        capabilities = cifs_ssetup_hdr(ses, pSMB);
1437        if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
1438                cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
1439                return -ENOSYS;
1440        }
1441
1442        pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1443        capabilities |= CAP_EXTENDED_SECURITY;
1444        pSMB->req.Capabilities |= cpu_to_le32(capabilities);
1445
1446        bcc_ptr = sess_data->iov[2].iov_base;
1447        /* unicode strings must be word aligned */
1448        if ((sess_data->iov[0].iov_len + sess_data->iov[1].iov_len) % 2) {
1449                *bcc_ptr = 0;
1450                bcc_ptr++;
1451        }
1452        unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1453
1454        sess_data->iov[2].iov_len = (long) bcc_ptr -
1455                                        (long) sess_data->iov[2].iov_base;
1456
1457        return 0;
1458}
1459
1460static void
1461sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1462
1463static void
1464sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1465{
1466        int rc;
1467        struct smb_hdr *smb_buf;
1468        SESSION_SETUP_ANDX *pSMB;
1469        struct cifs_ses *ses = sess_data->ses;
1470        __u16 bytes_remaining;
1471        char *bcc_ptr;
1472        u16 blob_len;
1473
1474        cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1475
1476        /*
1477         * if memory allocation is successful, caller of this function
1478         * frees it.
1479         */
1480        ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1481        if (!ses->ntlmssp) {
1482                rc = -ENOMEM;
1483                goto out;
1484        }
1485        ses->ntlmssp->sesskey_per_smbsess = false;
1486
1487        /* wct = 12 */
1488        rc = sess_alloc_buffer(sess_data, 12);
1489        if (rc)
1490                goto out;
1491
1492        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1493
1494        /* Build security blob before we assemble the request */
1495        build_ntlmssp_negotiate_blob(pSMB->req.SecurityBlob, ses);
1496        sess_data->iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
1497        sess_data->iov[1].iov_base = pSMB->req.SecurityBlob;
1498        pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
1499
1500        rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1501        if (rc)
1502                goto out;
1503
1504        rc = sess_sendreceive(sess_data);
1505
1506        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1507        smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1508
1509        /* If true, rc here is expected and not an error */
1510        if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1511            smb_buf->Status.CifsError ==
1512                        cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1513                rc = 0;
1514
1515        if (rc)
1516                goto out;
1517
1518        cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1519
1520        if (smb_buf->WordCount != 4) {
1521                rc = -EIO;
1522                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1523                goto out;
1524        }
1525
1526        ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1527        cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1528
1529        bytes_remaining = get_bcc(smb_buf);
1530        bcc_ptr = pByteArea(smb_buf);
1531
1532        blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1533        if (blob_len > bytes_remaining) {
1534                cifs_dbg(VFS, "bad security blob length %d\n",
1535                                blob_len);
1536                rc = -EINVAL;
1537                goto out;
1538        }
1539
1540        rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1541out:
1542        sess_free_buffer(sess_data);
1543
1544        if (!rc) {
1545                sess_data->func = sess_auth_rawntlmssp_authenticate;
1546                return;
1547        }
1548
1549        /* Else error. Cleanup */
1550        kfree(ses->auth_key.response);
1551        ses->auth_key.response = NULL;
1552        kfree(ses->ntlmssp);
1553        ses->ntlmssp = NULL;
1554
1555        sess_data->func = NULL;
1556        sess_data->result = rc;
1557}
1558
1559static void
1560sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1561{
1562        int rc;
1563        struct smb_hdr *smb_buf;
1564        SESSION_SETUP_ANDX *pSMB;
1565        struct cifs_ses *ses = sess_data->ses;
1566        __u16 bytes_remaining;
1567        char *bcc_ptr;
1568        unsigned char *ntlmsspblob = NULL;
1569        u16 blob_len;
1570
1571        cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1572
1573        /* wct = 12 */
1574        rc = sess_alloc_buffer(sess_data, 12);
1575        if (rc)
1576                goto out;
1577
1578        /* Build security blob before we assemble the request */
1579        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1580        smb_buf = (struct smb_hdr *)pSMB;
1581        rc = build_ntlmssp_auth_blob(&ntlmsspblob,
1582                                        &blob_len, ses, sess_data->nls_cp);
1583        if (rc)
1584                goto out_free_ntlmsspblob;
1585        sess_data->iov[1].iov_len = blob_len;
1586        sess_data->iov[1].iov_base = ntlmsspblob;
1587        pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1588        /*
1589         * Make sure that we tell the server that we are using
1590         * the uid that it just gave us back on the response
1591         * (challenge)
1592         */
1593        smb_buf->Uid = ses->Suid;
1594
1595        rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1596        if (rc)
1597                goto out_free_ntlmsspblob;
1598
1599        rc = sess_sendreceive(sess_data);
1600        if (rc)
1601                goto out_free_ntlmsspblob;
1602
1603        pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1604        smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1605        if (smb_buf->WordCount != 4) {
1606                rc = -EIO;
1607                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1608                goto out_free_ntlmsspblob;
1609        }
1610
1611        if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1612                cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1613
1614        if (ses->Suid != smb_buf->Uid) {
1615                ses->Suid = smb_buf->Uid;
1616                cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1617        }
1618
1619        bytes_remaining = get_bcc(smb_buf);
1620        bcc_ptr = pByteArea(smb_buf);
1621        blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1622        if (blob_len > bytes_remaining) {
1623                cifs_dbg(VFS, "bad security blob length %d\n",
1624                                blob_len);
1625                rc = -EINVAL;
1626                goto out_free_ntlmsspblob;
1627        }
1628        bcc_ptr += blob_len;
1629        bytes_remaining -= blob_len;
1630
1631
1632        /* BB check if Unicode and decode strings */
1633        if (bytes_remaining == 0) {
1634                /* no string area to decode, do nothing */
1635        } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1636                /* unicode string area must be word-aligned */
1637                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1638                        ++bcc_ptr;
1639                        --bytes_remaining;
1640                }
1641                decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1642                                      sess_data->nls_cp);
1643        } else {
1644                decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1645                                    sess_data->nls_cp);
1646        }
1647
1648out_free_ntlmsspblob:
1649        kfree(ntlmsspblob);
1650out:
1651        sess_free_buffer(sess_data);
1652
1653         if (!rc)
1654                rc = sess_establish_session(sess_data);
1655
1656        /* Cleanup */
1657        kfree(ses->auth_key.response);
1658        ses->auth_key.response = NULL;
1659        kfree(ses->ntlmssp);
1660        ses->ntlmssp = NULL;
1661
1662        sess_data->func = NULL;
1663        sess_data->result = rc;
1664}
1665
1666static int select_sec(struct cifs_ses *ses, struct sess_data *sess_data)
1667{
1668        int type;
1669
1670        type = cifs_select_sectype(ses->server, ses->sectype);
1671        cifs_dbg(FYI, "sess setup type %d\n", type);
1672        if (type == Unspecified) {
1673                cifs_dbg(VFS, "Unable to select appropriate authentication method!\n");
1674                return -EINVAL;
1675        }
1676
1677        switch (type) {
1678        case LANMAN:
1679                /* LANMAN and plaintext are less secure and off by default.
1680                 * So we make this explicitly be turned on in kconfig (in the
1681                 * build) and turned on at runtime (changed from the default)
1682                 * in proc/fs/cifs or via mount parm.  Unfortunately this is
1683                 * needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
1684#ifdef CONFIG_CIFS_WEAK_PW_HASH
1685                sess_data->func = sess_auth_lanman;
1686                break;
1687#else
1688                return -EOPNOTSUPP;
1689#endif
1690        case NTLM:
1691                sess_data->func = sess_auth_ntlm;
1692                break;
1693        case NTLMv2:
1694                sess_data->func = sess_auth_ntlmv2;
1695                break;
1696        case Kerberos:
1697#ifdef CONFIG_CIFS_UPCALL
1698                sess_data->func = sess_auth_kerberos;
1699                break;
1700#else
1701                cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1702                return -ENOSYS;
1703#endif /* CONFIG_CIFS_UPCALL */
1704        case RawNTLMSSP:
1705                sess_data->func = sess_auth_rawntlmssp_negotiate;
1706                break;
1707        default:
1708                cifs_dbg(VFS, "secType %d not supported!\n", type);
1709                return -ENOSYS;
1710        }
1711
1712        return 0;
1713}
1714
1715int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
1716                    const struct nls_table *nls_cp)
1717{
1718        int rc = 0;
1719        struct sess_data *sess_data;
1720
1721        if (ses == NULL) {
1722                WARN(1, "%s: ses == NULL!", __func__);
1723                return -EINVAL;
1724        }
1725
1726        sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
1727        if (!sess_data)
1728                return -ENOMEM;
1729
1730        rc = select_sec(ses, sess_data);
1731        if (rc)
1732                goto out;
1733
1734        sess_data->xid = xid;
1735        sess_data->ses = ses;
1736        sess_data->buf0_type = CIFS_NO_BUFFER;
1737        sess_data->nls_cp = (struct nls_table *) nls_cp;
1738
1739        while (sess_data->func)
1740                sess_data->func(sess_data);
1741
1742        /* Store result before we free sess_data */
1743        rc = sess_data->result;
1744
1745out:
1746        kfree(sess_data);
1747        return rc;
1748}
1749