sess.c 28.6 KB
Newer Older
1 2 3 4 5
/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
6
 *   Copyright (c) International Business Machines  Corp., 2006, 2009
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
31
#include <linux/utsname.h>
32
#include <linux/slab.h>
33
#include "cifs_spnego.h"
34

35 36 37 38 39
/*
 * Checks if this is the first smb session to be reconnected after
 * the socket has been reestablished (so we know whether to use vc 0).
 * Called while holding the cifs_tcp_ses_lock, so do not block
 */
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
static bool is_first_ses_reconnect(struct cifsSesInfo *ses)
{
	struct list_head *tmp;
	struct cifsSesInfo *tmp_ses;

	list_for_each(tmp, &ses->server->smb_ses_list) {
		tmp_ses = list_entry(tmp, struct cifsSesInfo,
				     smb_ses_list);
		if (tmp_ses->need_reconnect == false)
			return false;
	}
	/* could not find a session that was already connected,
	   this must be the first one we are reconnecting */
	return true;
}

/*
 *	vc number 0 is treated specially by some servers, and should be the
 *      first one we request.  After that we can use vcnumbers up to maxvcs,
 *	one for each smb session (some Windows versions set maxvcs incorrectly
 *	so maxvc=1 can be ignored).  If we have too many vcs, we can reuse
 *	any vc but zero (some servers reset the connection on vcnum zero)
 *
 */
static __le16 get_next_vcnum(struct cifsSesInfo *ses)
{
	__u16 vcnum = 0;
	struct list_head *tmp;
	struct cifsSesInfo *tmp_ses;
	__u16 max_vcs = ses->server->max_vcs;
	__u16 i;
	int free_vc_found = 0;

	/* Quoting the MS-SMB specification: "Windows-based SMB servers set this
	field to one but do not enforce this limit, which allows an SMB client
	to establish more virtual circuits than allowed by this value ... but
	other server implementations can enforce this limit." */
	if (max_vcs < 2)
		max_vcs = 0xFFFF;

80
	spin_lock(&cifs_tcp_ses_lock);
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
	if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
			goto get_vc_num_exit;  /* vcnum will be zero */
	for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
		if (i == 0) /* this is the only connection, use vc 0 */
			break;

		free_vc_found = 1;

		list_for_each(tmp, &ses->server->smb_ses_list) {
			tmp_ses = list_entry(tmp, struct cifsSesInfo,
					     smb_ses_list);
			if (tmp_ses->vcnum == i) {
				free_vc_found = 0;
				break; /* found duplicate, try next vcnum */
			}
		}
		if (free_vc_found)
			break; /* we found a vcnumber that will work - use it */
	}

	if (i == 0)
		vcnum = 0; /* for most common case, ie if one smb session, use
			      vc zero.  Also for case when no free vcnum, zero
			      is safest to send (some clients only send zero) */
	else if (free_vc_found == 0)
		vcnum = 1;  /* we can not reuse vc=0 safely, since some servers
				reset all uids on that, but 1 is ok. */
	else
		vcnum = i;
	ses->vcnum = vcnum;
get_vc_num_exit:
112
	spin_unlock(&cifs_tcp_ses_lock);
113

114
	return cpu_to_le16(vcnum);
115 116
}

117 118 119 120 121
static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
122 123 124 125
	/* Note that offsets for first seven fields in req struct are same  */
	/*	in CIFS Specs so does not matter which of 3 forms of struct */
	/*	that we use in next few lines                               */
	/* Note that header is initialized to zero in header_assemble */
126 127 128
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
129
	pSMB->req.VcNumber = get_next_vcnum(ses);
130 131 132

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

S
Steve French 已提交
133
	/* BB verify whether signing required on neg or just on auth frame
134 135 136 137 138
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

S
Steve French 已提交
139 140
	if (ses->server->secMode &
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
141 142 143 144 145 146 147 148 149 150 151 152 153 154
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
155
	if (ses->capabilities & CAP_UNIX)
156 157 158 159 160
		capabilities |= CAP_UNIX;

	return capabilities;
}

161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206
static void
unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	*pbcc_area = bcc_ptr;
}


S
Steve French 已提交
207
static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
208
				   const struct nls_table *nls_cp)
209
{
S
Steve French 已提交
210
	char *bcc_ptr = *pbcc_area;
211 212 213 214 215
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

216 217
	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
218 219
		*bcc_ptr = 0;
		bcc_ptr++;
220
	} */
221
	/* copy user */
S
Steve French 已提交
222
	if (ses->userName == NULL) {
223 224 225
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
226
	} else {
227
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
228
					  MAX_USERNAME_SIZE, nls_cp);
229 230 231 232
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */

233 234
	unicode_domain_string(&bcc_ptr, ses, nls_cp);
	unicode_oslm_strings(&bcc_ptr, nls_cp);
235 236 237 238

	*pbcc_area = bcc_ptr;
}

S
Steve French 已提交
239
static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
240
				 const struct nls_table *nls_cp)
241
{
S
Steve French 已提交
242
	char *bcc_ptr = *pbcc_area;
243 244 245

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
S
Steve French 已提交
246 247 248
	/* copy user */
	if (ses->userName == NULL) {
		/* BB what about null user mounts - check that we do this BB */
249 250
	} else {
		strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
S
Steve French 已提交
251
	}
252
	bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
253
	*bcc_ptr = 0;
S
Steve French 已提交
254
	bcc_ptr++; /* account for null termination */
255

S
Steve French 已提交
256 257 258 259
	/* copy domain */

	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
260
		bcc_ptr += strnlen(ses->domainName, 256);
S
Steve French 已提交
261
	} /* else we will send a null domain name
262
	     so the server will default to its own domain */
263 264 265 266 267 268 269
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
270 271
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;
272 273 274 275

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

S
Steve French 已提交
276
	*pbcc_area = bcc_ptr;
277 278
}

279 280 281
static void
decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
		      const struct nls_table *nls_cp)
282
{
283
	int len;
S
Steve French 已提交
284
	char *data = *pbcc_area;
285

286
	cFYI(1, "bleft %d", bleft);
287

288 289 290 291 292 293 294 295 296 297 298 299
	/*
	 * Windows servers do not always double null terminate their final
	 * Unicode string. Check to see if there are an uneven number of bytes
	 * left. If so, then add an extra NULL pad byte to the end of the
	 * response.
	 *
	 * See section 2.7.2 in "Implementing CIFS" for details
	 */
	if (bleft % 2) {
		data[bleft] = 0;
		++bleft;
	}
300

301
	kfree(ses->serverOS);
302
	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
303
	cFYI(1, "serverOS=%s", ses->serverOS);
304 305 306 307 308
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
309

310
	kfree(ses->serverNOS);
311
	ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
312
	cFYI(1, "serverNOS=%s", ses->serverNOS);
313 314 315 316 317
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
S
Steve French 已提交
318

319
	kfree(ses->serverDomain);
320
	ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
321
	cFYI(1, "serverDomain=%s", ses->serverDomain);
S
Steve French 已提交
322

323
	return;
324 325
}

S
Steve French 已提交
326 327 328
static int decode_ascii_ssetup(char **pbcc_area, int bleft,
			       struct cifsSesInfo *ses,
			       const struct nls_table *nls_cp)
329 330 331
{
	int rc = 0;
	int len;
S
Steve French 已提交
332
	char *bcc_ptr = *pbcc_area;
333

334
	cFYI(1, "decode sessetup ascii. bleft %d", bleft);
335

336
	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
337
	if (len >= bleft)
338
		return rc;
339

340
	kfree(ses->serverOS);
341 342

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
343
	if (ses->serverOS)
344
		strncpy(ses->serverOS, bcc_ptr, len);
S
Steve French 已提交
345
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
346
			cFYI(1, "OS/2 server");
347 348
			ses->flags |= CIFS_SES_OS2;
	}
349 350 351 352 353

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
354
	if (len >= bleft)
355 356
		return rc;

357
	kfree(ses->serverNOS);
358 359

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
360
	if (ses->serverNOS)
361 362 363 364 365
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

S
Steve French 已提交
366 367 368
	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;
369

370 371 372 373 374
	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
375
	cFYI(1, "ascii: bytes left %d", bleft);
376 377 378 379

	return rc;
}

380 381 382
static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
				    struct cifsSesInfo *ses)
{
383 384 385
	unsigned int tioffset; /* challenge message target info area */
	unsigned int tilen; /* challenge message target info area length  */

386 387 388
	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;

	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
389
		cERROR(1, "challenge blob len %d too small", blob_len);
390 391 392 393
		return -EINVAL;
	}

	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
394
		cERROR(1, "blob signature incorrect %s", pblob->Signature);
395 396 397
		return -EINVAL;
	}
	if (pblob->MessageType != NtLmChallenge) {
398
		cERROR(1, "Incorrect message type %d", pblob->MessageType);
399 400 401
		return -EINVAL;
	}

402
	memcpy(ses->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
403 404 405 406
	/* BB we could decode pblob->NegotiateFlags; some may be useful */
	/* In particular we can examine sign flags */
	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
		we must set the MIC field of the AUTHENTICATE_MESSAGE */
407
	ses->ntlmssp.server_flags = le32_to_cpu(pblob->NegotiateFlags);
408 409 410 411 412 413 414 415 416 417 418 419 420
	tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
	tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
	ses->tilen = tilen;
	if (ses->tilen) {
		ses->tiblob = kmalloc(tilen, GFP_KERNEL);
		if (!ses->tiblob) {
			cERROR(1, "Challenge target info allocation failure");
			ses->tilen = 0;
			return -ENOMEM;
		}
		memcpy(ses->tiblob,  bcc_ptr + tioffset, ses->tilen);
	}

421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440
	return 0;
}

#ifdef CONFIG_CIFS_EXPERIMENTAL
/* BB Move to ntlmssp.c eventually */

/* We do not malloc the blob, it is passed in pbuffer, because
   it is fixed size, and small, making this approach cleaner */
static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
					 struct cifsSesInfo *ses)
{
	NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
	__u32 flags;

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmNegotiate;

	/* BB is NTLMV2 session security format easier to use here? */
	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
441
		NTLMSSP_NEGOTIATE_NTLM;
442
	if (ses->server->secMode &
443
			(SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
444
		flags |= NTLMSSP_NEGOTIATE_SIGN;
445 446 447 448
		if (!ses->server->session_estab)
			flags |= NTLMSSP_NEGOTIATE_KEY_XCH |
				NTLMSSP_NEGOTIATE_EXTENDED_SEC;
	}
449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465

	sec_blob->NegotiateFlags |= cpu_to_le32(flags);

	sec_blob->WorkstationName.BufferOffset = 0;
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;

	/* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
	sec_blob->DomainName.BufferOffset = 0;
	sec_blob->DomainName.Length = 0;
	sec_blob->DomainName.MaximumLength = 0;
}

/* We do not malloc the blob, it is passed in pbuffer, because its
   maximum possible size is fixed and small, making this approach cleaner.
   This function returns the length of the data in the blob */
static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
466
					u16 *buflen,
467
				   struct cifsSesInfo *ses,
468
				   const struct nls_table *nls_cp)
469
{
470
	int rc;
471 472 473 474 475 476 477 478 479 480
	AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
	__u32 flags;
	unsigned char *tmp;

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmAuthenticate;

	flags = NTLMSSP_NEGOTIATE_56 |
		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
481
		NTLMSSP_NEGOTIATE_NTLM;
482 483 484 485 486 487 488 489 490 491 492 493 494 495
	if (ses->server->secMode &
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		flags |= NTLMSSP_NEGOTIATE_SIGN;
	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;

	tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
	sec_blob->NegotiateFlags |= cpu_to_le32(flags);

	sec_blob->LmChallengeResponse.BufferOffset =
				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
	sec_blob->LmChallengeResponse.Length = 0;
	sec_blob->LmChallengeResponse.MaximumLength = 0;

496
	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
497
	rc = setup_ntlmv2_rsp(ses, nls_cp);
498 499 500 501
	if (rc) {
		cERROR(1, "Error %d during NTLMSSP authentication", rc);
		goto setup_ntlmv2_ret;
	}
502 503 504
	memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
			ses->auth_key.len - CIFS_SESS_KEY_SIZE);
	tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
505

506 507
	sec_blob->NtChallengeResponse.Length =
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
508
	sec_blob->NtChallengeResponse.MaximumLength =
509
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547

	if (ses->domainName == NULL) {
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = 0;
		sec_blob->DomainName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
		len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
				    MAX_USERNAME_SIZE, nls_cp);
		len *= 2; /* unicode is 2 bytes each */
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = cpu_to_le16(len);
		sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	if (ses->userName == NULL) {
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = 0;
		sec_blob->UserName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
		len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
				    MAX_USERNAME_SIZE, nls_cp);
		len *= 2; /* unicode is 2 bytes each */
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = cpu_to_le16(len);
		sec_blob->UserName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;
	tmp += 2;

548 549 550 551 552 553 554 555 556 557 558 559 560
	if ((ses->ntlmssp.server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
			!calc_seckey(ses)) {
		memcpy(tmp, ses->ntlmssp.ciphertext, CIFS_CPHTXT_SIZE);
		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
		sec_blob->SessionKey.MaximumLength =
				cpu_to_le16(CIFS_CPHTXT_SIZE);
		tmp += CIFS_CPHTXT_SIZE;
	} else {
		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->SessionKey.Length = 0;
		sec_blob->SessionKey.MaximumLength = 0;
	}
561 562

setup_ntlmv2_ret:
563 564
	*buflen = tmp - pbuffer;
	return rc;
565 566 567 568 569 570 571 572 573 574 575 576 577
}


static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
				 struct cifsSesInfo *ses)
{
	build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
	pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));

	return;
}
#endif

S
Steve French 已提交
578
int
579 580
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
	       const struct nls_table *nls_cp)
581 582 583 584 585
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
586
	char *str_area;
587 588 589
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
590 591
	int resp_buf_type;
	struct kvec iov[3];
592 593 594
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;
595
	struct key *spnego_key = NULL;
596
	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
597
	u16 blob_len;
598
	char *ntlmsspblob = NULL;
599

S
Steve French 已提交
600
	if (ses == NULL)
601 602 603
		return -EINVAL;

	type = ses->server->secType;
604

605
	cFYI(1, "sess setup type %d", type);
606 607 608 609
ssetup_ntlmssp_authenticate:
	if (phase == NtLmChallenge)
		phase = NtLmAuthenticate; /* if ntlmssp, now final phase */

S
Steve French 已提交
610
	if (type == LANMAN) {
611 612 613 614 615 616 617 618 619
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
S
Steve French 已提交
620
	} else if ((type == NTLM) || (type == NTLMv2)) {
621
		/* For NTLMv2 failures eventually may need to retry NTLM */
622
		wct = 13; /* old style NTLM sessionsetup */
S
Steve French 已提交
623
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
624 625 626 627
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
S
Steve French 已提交
628
	if (rc)
629 630 631 632 633
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);
634

635 636 637 638 639 640
	/* we will send the SMB in three pieces:
	a fixed length beginning part, an optional
	SPNEGO blob (which can be zero length), and a
	last part which will include the strings
	and rest of bcc area. This allows us to avoid
	a large buffer 17K allocation */
S
Steve French 已提交
641 642
	iov[0].iov_base = (char *)pSMB;
	iov[0].iov_len = smb_buf->smb_buf_length + 4;
643

644 645 646 647
	/* setting this here allows the code at the end of the function
	   to free the request buffer if there's an error */
	resp_buf_type = CIFS_SMALL_BUFFER;

648 649
	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
650
	if (str_area == NULL) {
651 652
		rc = -ENOMEM;
		goto ssetup_exit;
653
	}
654
	bcc_ptr = str_area;
655

656 657
	ses->flags &= ~CIFS_SES_LANMAN;

658 659 660
	iov[1].iov_base = NULL;
	iov[1].iov_len = 0;

S
Steve French 已提交
661
	if (type == LANMAN) {
662
#ifdef CONFIG_CIFS_WEAK_PW_HASH
663
		char lnm_session_key[CIFS_SESS_KEY_SIZE];
664

665 666
		pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;

667 668
		/* no capabilities flags in old lanman negotiation */

S
Steve French 已提交
669
		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
670

671 672 673 674 675 676 677
		/* Calculate hash with password and copy into bcc_ptr.
		 * Encryption Key (stored as in cryptkey) gets used if the
		 * security mode bit in Negottiate Protocol response states
		 * to use challenge/response method (i.e. Password bit is 1).
		 */

		calc_lanman_hash(ses->password, ses->server->cryptkey,
678 679 680
				 ses->server->secMode & SECMODE_PW_ENCRYPT ?
					true : false, lnm_session_key);

S
Steve French 已提交
681
		ses->flags |= CIFS_SES_LANMAN;
682 683
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
684 685 686 687 688 689

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

690
		cFYI(1, "Negotiating LANMAN setting up strings");
691 692
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
S
Steve French 已提交
693
#endif
694 695 696
	} else if (type == NTLM) {
		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
697
			cpu_to_le16(CIFS_AUTH_RESP_SIZE);
698
		pSMB->req_no_secext.CaseSensitivePasswordLength =
699 700 701 702 703 704 705 706
			cpu_to_le16(CIFS_AUTH_RESP_SIZE);

		/* calculate ntlm response and session key */
		rc = setup_ntlm_response(ses);
		if (rc) {
			cERROR(1, "Error %d during NTLM authentication", rc);
			goto ssetup_exit;
		}
707

708 709 710 711 712 713 714
		/* copy ntlm response */
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
				CIFS_AUTH_RESP_SIZE);
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
				CIFS_AUTH_RESP_SIZE);
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
715

S
Steve French 已提交
716
		if (ses->capabilities & CAP_UNICODE) {
717 718 719
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
S
Steve French 已提交
720 721
				bcc_ptr++;
			}
722
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
723
		} else
724 725 726 727 728 729 730
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;

731 732
		/* calculate nlmv2 response and session key */
		rc = setup_ntlmv2_rsp(ses, nls_cp);
733 734 735 736
		if (rc) {
			cERROR(1, "Error %d during NTLMv2 authentication", rc);
			goto ssetup_exit;
		}
737 738 739 740
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
		bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;

741 742 743 744
		/* set case sensitive password length after tilen may get
		 * assigned, tilen is 0 otherwise.
		 */
		pSMB->req_no_secext.CaseSensitivePasswordLength =
745
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
746

S
Steve French 已提交
747 748
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
749
				*bcc_ptr = 0;
750 751
				bcc_ptr++;
			}
752
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
753
		} else
754
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
755
	} else if (type == Kerberos) {
756 757
#ifdef CONFIG_CIFS_UPCALL
		struct cifs_spnego_msg *msg;
758

759 760 761 762 763 764 765 766
		spnego_key = cifs_get_spnego_key(ses);
		if (IS_ERR(spnego_key)) {
			rc = PTR_ERR(spnego_key);
			spnego_key = NULL;
			goto ssetup_exit;
		}

		msg = spnego_key->payload.data;
767 768 769
		/* check version field to make sure that cifs.upcall is
		   sending us a response in an expected form */
		if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
770
			cERROR(1, "incorrect version of cifs.upcall (expected"
771
				   " %d but got %d)",
772
				   CIFS_SPNEGO_UPCALL_VERSION, msg->version);
773 774 775
			rc = -EKEYREJECTED;
			goto ssetup_exit;
		}
776 777 778 779 780 781

		ses->auth_key.response = kmalloc(msg->sesskey_len, GFP_KERNEL);
		if (!ses->auth_key.response) {
			cERROR(1, "Kerberos can't allocate (%u bytes) memory",
					msg->sesskey_len);
			rc = -ENOMEM;
782 783
			goto ssetup_exit;
		}
784
		memcpy(ses->auth_key.response, msg->data, msg->sesskey_len);
785
		ses->auth_key.len = msg->sesskey_len;
786

787 788 789
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
790 791 792 793 794 795
		iov[1].iov_base = msg->data + msg->sesskey_len;
		iov[1].iov_len = msg->secblob_len;
		pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);

		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
796
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
797 798 799 800 801 802 803 804 805
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
			unicode_domain_string(&bcc_ptr, ses, nls_cp);
		} else
		/* BB: is this right? */
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#else /* ! CONFIG_CIFS_UPCALL */
806
		cERROR(1, "Kerberos negotiated but upcall support disabled!");
807 808 809 810
		rc = -ENOSYS;
		goto ssetup_exit;
#endif /* CONFIG_CIFS_UPCALL */
	} else {
811
#ifdef CONFIG_CIFS_EXPERIMENTAL
812
		if (type == RawNTLMSSP) {
813
			if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
814
				cERROR(1, "NTLMSSP requires Unicode support");
815 816 817 818
				rc = -ENOSYS;
				goto ssetup_exit;
			}

819
			cFYI(1, "ntlmssp session setup phase %d", phase);
820 821 822 823 824 825
			pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
			capabilities |= CAP_EXTENDED_SECURITY;
			pSMB->req.Capabilities |= cpu_to_le32(capabilities);
			if (phase == NtLmNegotiate) {
				setup_ntlmssp_neg_req(pSMB, ses);
				iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
826
				iov[1].iov_base = &pSMB->req.SecurityBlob[0];
827
			} else if (phase == NtLmAuthenticate) {
828 829 830 831 832 833 834 835 836 837 838 839 840 841
				/* 5 is an empirical value, large enought to
				 * hold authenticate message, max 10 of
				 * av paris, doamin,user,workstation mames,
				 * flags etc..
				 */
				ntlmsspblob = kmalloc(
					5*sizeof(struct _AUTHENTICATE_MESSAGE),
					GFP_KERNEL);
				if (!ntlmsspblob) {
					cERROR(1, "Can't allocate NTLMSSP");
					rc = -ENOMEM;
					goto ssetup_exit;
				}

842 843 844 845
				rc = build_ntlmssp_auth_blob(ntlmsspblob,
							&blob_len, ses, nls_cp);
				if (rc)
					goto ssetup_exit;
846
				iov[1].iov_len = blob_len;
847 848 849
				iov[1].iov_base = ntlmsspblob;
				pSMB->req.SecurityBlobLength =
					cpu_to_le16(blob_len);
850 851 852 853
				/* Make sure that we tell the server that we
				   are using the uid that it just gave us back
				   on the response (challenge) */
				smb_buf->Uid = ses->Suid;
854
			} else {
855
				cERROR(1, "invalid phase %d", phase);
856 857 858 859 860 861 862 863 864 865
				rc = -ENOSYS;
				goto ssetup_exit;
			}
			/* unicode strings must be word aligned */
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
		} else {
866
			cERROR(1, "secType %d not supported!", type);
867 868 869 870
			rc = -ENOSYS;
			goto ssetup_exit;
		}
#else
871
		cERROR(1, "secType %d not supported!", type);
872 873
		rc = -ENOSYS;
		goto ssetup_exit;
874
#endif
875 876
	}

877 878 879 880
	iov[2].iov_base = str_area;
	iov[2].iov_len = (long) bcc_ptr - (long) str_area;

	count = iov[1].iov_len + iov[2].iov_len;
881 882 883 884
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

885
	rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
886
			  CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
887 888 889 890 891
	/* SMB request buf freed in SendReceive2 */

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

892 893 894
	if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
		if (phase != NtLmNegotiate) {
895
			cERROR(1, "Unexpected more processing error");
896 897 898 899 900 901 902 903 904
			goto ssetup_exit;
		}
		/* NTLMSSP Negotiate sent now processing challenge (response) */
		phase = NtLmChallenge; /* process ntlmssp challenge */
		rc = 0; /* MORE_PROC rc is not an error here, but expected */
	}
	if (rc)
		goto ssetup_exit;

S
Steve French 已提交
905
	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
906
		rc = -EIO;
907
		cERROR(1, "bad word count %d", smb_buf->WordCount);
908 909 910 911
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
912
		cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
913
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
914
	cFYI(1, "UID = %d ", ses->Suid);
915 916 917 918 919
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

S
Steve French 已提交
920
	if (smb_buf->WordCount == 4) {
921
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
S
Steve French 已提交
922
		if (blob_len > bytes_remaining) {
923
			cERROR(1, "bad security blob length %d", blob_len);
924 925 926
			rc = -EINVAL;
			goto ssetup_exit;
		}
927 928 929 930 931 932 933
		if (phase == NtLmChallenge) {
			rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
			/* now goto beginning for ntlmssp authenticate phase */
			if (rc)
				goto ssetup_exit;
		}
		bcc_ptr += blob_len;
934
		bytes_remaining -= blob_len;
S
Steve French 已提交
935
	}
936 937

	/* BB check if Unicode and decode strings */
938 939 940 941 942 943
	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
		/* unicode string area must be word-aligned */
		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
			++bcc_ptr;
			--bytes_remaining;
		}
944
		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
945
	} else {
946 947
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
					 ses, nls_cp);
948
	}
949

950
ssetup_exit:
951 952
	if (spnego_key) {
		key_revoke(spnego_key);
953
		key_put(spnego_key);
954
	}
955
	kfree(str_area);
956 957
	kfree(ntlmsspblob);
	ntlmsspblob = NULL;
S
Steve French 已提交
958
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
959
		cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
960
		cifs_small_buf_release(iov[0].iov_base);
S
Steve French 已提交
961
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
962 963
		cifs_buf_release(iov[0].iov_base);

964 965 966 967
	/* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
	if ((phase == NtLmChallenge) && (rc == 0))
		goto ssetup_ntlmssp_authenticate;

968 969
	return rc;
}