sess.c 28.6 KB
Newer Older
1 2 3 4 5
/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
6
 *   Copyright (c) International Business Machines  Corp., 2006, 2009
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
31
#include <linux/utsname.h>
32
#include <linux/slab.h>
33
#include "cifs_spnego.h"
34

35 36 37 38 39
/*
 * Checks if this is the first smb session to be reconnected after
 * the socket has been reestablished (so we know whether to use vc 0).
 * Called while holding the cifs_tcp_ses_lock, so do not block
 */
40
static bool is_first_ses_reconnect(struct cifs_ses *ses)
41 42
{
	struct list_head *tmp;
43
	struct cifs_ses *tmp_ses;
44 45

	list_for_each(tmp, &ses->server->smb_ses_list) {
46
		tmp_ses = list_entry(tmp, struct cifs_ses,
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
				     smb_ses_list);
		if (tmp_ses->need_reconnect == false)
			return false;
	}
	/* could not find a session that was already connected,
	   this must be the first one we are reconnecting */
	return true;
}

/*
 *	vc number 0 is treated specially by some servers, and should be the
 *      first one we request.  After that we can use vcnumbers up to maxvcs,
 *	one for each smb session (some Windows versions set maxvcs incorrectly
 *	so maxvc=1 can be ignored).  If we have too many vcs, we can reuse
 *	any vc but zero (some servers reset the connection on vcnum zero)
 *
 */
64
static __le16 get_next_vcnum(struct cifs_ses *ses)
65 66 67
{
	__u16 vcnum = 0;
	struct list_head *tmp;
68
	struct cifs_ses *tmp_ses;
69 70 71 72 73 74 75 76 77 78 79
	__u16 max_vcs = ses->server->max_vcs;
	__u16 i;
	int free_vc_found = 0;

	/* Quoting the MS-SMB specification: "Windows-based SMB servers set this
	field to one but do not enforce this limit, which allows an SMB client
	to establish more virtual circuits than allowed by this value ... but
	other server implementations can enforce this limit." */
	if (max_vcs < 2)
		max_vcs = 0xFFFF;

80
	spin_lock(&cifs_tcp_ses_lock);
81 82 83 84 85 86 87 88 89
	if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
			goto get_vc_num_exit;  /* vcnum will be zero */
	for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
		if (i == 0) /* this is the only connection, use vc 0 */
			break;

		free_vc_found = 1;

		list_for_each(tmp, &ses->server->smb_ses_list) {
90
			tmp_ses = list_entry(tmp, struct cifs_ses,
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
					     smb_ses_list);
			if (tmp_ses->vcnum == i) {
				free_vc_found = 0;
				break; /* found duplicate, try next vcnum */
			}
		}
		if (free_vc_found)
			break; /* we found a vcnumber that will work - use it */
	}

	if (i == 0)
		vcnum = 0; /* for most common case, ie if one smb session, use
			      vc zero.  Also for case when no free vcnum, zero
			      is safest to send (some clients only send zero) */
	else if (free_vc_found == 0)
		vcnum = 1;  /* we can not reuse vc=0 safely, since some servers
				reset all uids on that, but 1 is ok. */
	else
		vcnum = i;
	ses->vcnum = vcnum;
get_vc_num_exit:
112
	spin_unlock(&cifs_tcp_ses_lock);
113

114
	return cpu_to_le16(vcnum);
115 116
}

117
static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
118 119 120 121
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
122 123 124 125
	/* Note that offsets for first seven fields in req struct are same  */
	/*	in CIFS Specs so does not matter which of 3 forms of struct */
	/*	that we use in next few lines                               */
	/* Note that header is initialized to zero in header_assemble */
126
	pSMB->req.AndXCommand = 0xFF;
127 128 129
	pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
					CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
					USHRT_MAX));
130
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
131
	pSMB->req.VcNumber = get_next_vcnum(ses);
132 133 134

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

S
Steve French 已提交
135
	/* BB verify whether signing required on neg or just on auth frame
136 137 138 139 140
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

141
	if (ses->server->sec_mode &
S
Steve French 已提交
142
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
143 144 145 146 147 148 149 150 151 152 153 154 155 156
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
157
	if (ses->capabilities & CAP_UNIX)
158 159 160 161 162
		capabilities |= CAP_UNIX;

	return capabilities;
}

163 164 165 166 167 168 169
static void
unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* Copy OS version */
170 171
	bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
				    nls_cp);
172
	bcc_ptr += 2 * bytes_ret;
173 174
	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
				    32, nls_cp);
175 176 177
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

178 179
	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				    32, nls_cp);
180 181 182 183 184 185
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

186
static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
187 188 189 190 191 192 193 194 195 196 197 198 199
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
200 201
		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
					    256, nls_cp);
202 203 204 205 206 207 208
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	*pbcc_area = bcc_ptr;
}


209
static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
S
Steve French 已提交
210
				   const struct nls_table *nls_cp)
211
{
S
Steve French 已提交
212
	char *bcc_ptr = *pbcc_area;
213 214 215 216 217
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

218 219
	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
220 221
		*bcc_ptr = 0;
		bcc_ptr++;
222
	} */
223
	/* copy user */
224
	if (ses->user_name == NULL) {
225 226 227
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
228
	} else {
229 230
		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
					    MAX_USERNAME_SIZE, nls_cp);
231 232 233 234
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */

235 236
	unicode_domain_string(&bcc_ptr, ses, nls_cp);
	unicode_oslm_strings(&bcc_ptr, nls_cp);
237 238 239 240

	*pbcc_area = bcc_ptr;
}

241
static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
S
Steve French 已提交
242
				 const struct nls_table *nls_cp)
243
{
S
Steve French 已提交
244
	char *bcc_ptr = *pbcc_area;
245 246 247

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
S
Steve French 已提交
248
	/* copy user */
249
	if (ses->user_name != NULL) {
250
		strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE);
251 252
		bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
	}
253
	/* else null user mount */
254
	*bcc_ptr = 0;
S
Steve French 已提交
255
	bcc_ptr++; /* account for null termination */
256

S
Steve French 已提交
257 258 259
	/* copy domain */
	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
260
		bcc_ptr += strnlen(ses->domainName, 256);
S
Steve French 已提交
261
	} /* else we will send a null domain name
262
	     so the server will default to its own domain */
263 264 265 266 267 268 269
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
270 271
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;
272 273 274 275

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

S
Steve French 已提交
276
	*pbcc_area = bcc_ptr;
277 278
}

279
static void
280
decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
281
		      const struct nls_table *nls_cp)
282
{
283
	int len;
S
Steve French 已提交
284
	char *data = *pbcc_area;
285

286
	cFYI(1, "bleft %d", bleft);
287

288
	kfree(ses->serverOS);
289
	ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
290
	cFYI(1, "serverOS=%s", ses->serverOS);
291 292 293 294 295
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
296

297
	kfree(ses->serverNOS);
298
	ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
299
	cFYI(1, "serverNOS=%s", ses->serverNOS);
300 301 302 303 304
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
S
Steve French 已提交
305

306
	kfree(ses->serverDomain);
307
	ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
308
	cFYI(1, "serverDomain=%s", ses->serverDomain);
S
Steve French 已提交
309

310
	return;
311 312
}

313
static int decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
314
			       struct cifs_ses *ses,
S
Steve French 已提交
315
			       const struct nls_table *nls_cp)
316 317 318
{
	int rc = 0;
	int len;
S
Steve French 已提交
319
	char *bcc_ptr = *pbcc_area;
320

321
	cFYI(1, "decode sessetup ascii. bleft %d", bleft);
322

323
	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
324
	if (len >= bleft)
325
		return rc;
326

327
	kfree(ses->serverOS);
328 329

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
330
	if (ses->serverOS)
331
		strncpy(ses->serverOS, bcc_ptr, len);
S
Steve French 已提交
332
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
333
			cFYI(1, "OS/2 server");
334 335
			ses->flags |= CIFS_SES_OS2;
	}
336 337 338 339 340

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
341
	if (len >= bleft)
342 343
		return rc;

344
	kfree(ses->serverNOS);
345 346

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
347
	if (ses->serverNOS)
348 349 350 351 352
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

S
Steve French 已提交
353 354 355
	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;
356

357 358 359 360 361
	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
362
	cFYI(1, "ascii: bytes left %d", bleft);
363 364 365 366

	return rc;
}

367
static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
368
				    struct cifs_ses *ses)
369
{
370 371 372
	unsigned int tioffset; /* challenge message target info area */
	unsigned int tilen; /* challenge message target info area length  */

373 374 375
	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;

	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
376
		cERROR(1, "challenge blob len %d too small", blob_len);
377 378 379 380
		return -EINVAL;
	}

	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
381
		cERROR(1, "blob signature incorrect %s", pblob->Signature);
382 383 384
		return -EINVAL;
	}
	if (pblob->MessageType != NtLmChallenge) {
385
		cERROR(1, "Incorrect message type %d", pblob->MessageType);
386 387 388
		return -EINVAL;
	}

389
	memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
390 391 392 393
	/* BB we could decode pblob->NegotiateFlags; some may be useful */
	/* In particular we can examine sign flags */
	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
		we must set the MIC field of the AUTHENTICATE_MESSAGE */
394
	ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
S
Steve French 已提交
395 396
	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
397 398 399 400
	if (tioffset > blob_len || tioffset + tilen > blob_len) {
		cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
		return -EINVAL;
	}
401 402 403
	if (tilen) {
		ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
		if (!ses->auth_key.response) {
404 405 406
			cERROR(1, "Challenge target info allocation failure");
			return -ENOMEM;
		}
407 408
		memcpy(ses->auth_key.response, bcc_ptr + tioffset, tilen);
		ses->auth_key.len = tilen;
409 410
	}

411 412 413 414 415 416 417 418
	return 0;
}

/* BB Move to ntlmssp.c eventually */

/* We do not malloc the blob, it is passed in pbuffer, because
   it is fixed size, and small, making this approach cleaner */
static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
419
					 struct cifs_ses *ses)
420 421 422 423
{
	NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
	__u32 flags;

424
	memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
425 426 427 428 429 430
	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmNegotiate;

	/* BB is NTLMV2 session security format easier to use here? */
	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
431
		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
432
	if (ses->server->sec_mode &
433
			(SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
434
		flags |= NTLMSSP_NEGOTIATE_SIGN;
435
		if (!ses->server->session_estab)
436
			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
437
	}
438

439
	sec_blob->NegotiateFlags = cpu_to_le32(flags);
440 441 442 443 444 445 446 447 448 449 450 451 452 453 454

	sec_blob->WorkstationName.BufferOffset = 0;
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;

	/* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
	sec_blob->DomainName.BufferOffset = 0;
	sec_blob->DomainName.Length = 0;
	sec_blob->DomainName.MaximumLength = 0;
}

/* We do not malloc the blob, it is passed in pbuffer, because its
   maximum possible size is fixed and small, making this approach cleaner.
   This function returns the length of the data in the blob */
static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
455
					u16 *buflen,
456
				   struct cifs_ses *ses,
457
				   const struct nls_table *nls_cp)
458
{
459
	int rc;
460 461 462 463 464 465 466 467 468 469
	AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
	__u32 flags;
	unsigned char *tmp;

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmAuthenticate;

	flags = NTLMSSP_NEGOTIATE_56 |
		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
470
		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
471
	if (ses->server->sec_mode &
472
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
473
		flags |= NTLMSSP_NEGOTIATE_SIGN;
474 475 476
		if (!ses->server->session_estab)
			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
	}
477 478

	tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
479
	sec_blob->NegotiateFlags = cpu_to_le32(flags);
480 481 482 483 484 485

	sec_blob->LmChallengeResponse.BufferOffset =
				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
	sec_blob->LmChallengeResponse.Length = 0;
	sec_blob->LmChallengeResponse.MaximumLength = 0;

486
	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
487
	rc = setup_ntlmv2_rsp(ses, nls_cp);
488 489 490 491
	if (rc) {
		cERROR(1, "Error %d during NTLMSSP authentication", rc);
		goto setup_ntlmv2_ret;
	}
492 493 494
	memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
			ses->auth_key.len - CIFS_SESS_KEY_SIZE);
	tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
495

496 497
	sec_blob->NtChallengeResponse.Length =
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
498
	sec_blob->NtChallengeResponse.MaximumLength =
499
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
500 501 502 503 504 505 506 507

	if (ses->domainName == NULL) {
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = 0;
		sec_blob->DomainName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
508 509
		len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
				      MAX_USERNAME_SIZE, nls_cp);
510 511 512 513 514 515 516
		len *= 2; /* unicode is 2 bytes each */
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = cpu_to_le16(len);
		sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

517
	if (ses->user_name == NULL) {
518 519 520 521 522 523
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = 0;
		sec_blob->UserName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
524 525
		len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name,
				      MAX_USERNAME_SIZE, nls_cp);
526 527 528 529 530 531 532 533 534 535 536 537
		len *= 2; /* unicode is 2 bytes each */
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = cpu_to_le16(len);
		sec_blob->UserName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;
	tmp += 2;

538 539 540
	if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
		(ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
			&& !calc_seckey(ses)) {
541
		memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
542 543 544 545 546 547 548 549 550 551
		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
		sec_blob->SessionKey.MaximumLength =
				cpu_to_le16(CIFS_CPHTXT_SIZE);
		tmp += CIFS_CPHTXT_SIZE;
	} else {
		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->SessionKey.Length = 0;
		sec_blob->SessionKey.MaximumLength = 0;
	}
552 553

setup_ntlmv2_ret:
554 555
	*buflen = tmp - pbuffer;
	return rc;
556 557
}

S
Steve French 已提交
558
int
559
CIFS_SessSetup(unsigned int xid, struct cifs_ses *ses,
560
	       const struct nls_table *nls_cp)
561 562 563 564 565
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
566
	char *str_area;
567 568
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
569
	__u16 count;
570 571
	int resp_buf_type;
	struct kvec iov[3];
572
	enum securityEnum type;
573
	__u16 action, bytes_remaining;
574
	struct key *spnego_key = NULL;
575
	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
576
	u16 blob_len;
577
	char *ntlmsspblob = NULL;
578

S
Steve French 已提交
579
	if (ses == NULL)
580 581 582
		return -EINVAL;

	type = ses->server->secType;
583
	cFYI(1, "sess setup type %d", type);
584 585 586 587 588 589 590 591 592
	if (type == RawNTLMSSP) {
		/* if memory allocation is successful, caller of this function
		 * frees it.
		 */
		ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
		if (!ses->ntlmssp)
			return -ENOMEM;
	}

593 594 595 596
ssetup_ntlmssp_authenticate:
	if (phase == NtLmChallenge)
		phase = NtLmAuthenticate; /* if ntlmssp, now final phase */

S
Steve French 已提交
597
	if (type == LANMAN) {
598 599 600 601 602 603 604 605 606
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
S
Steve French 已提交
607
	} else if ((type == NTLM) || (type == NTLMv2)) {
608
		/* For NTLMv2 failures eventually may need to retry NTLM */
609
		wct = 13; /* old style NTLM sessionsetup */
S
Steve French 已提交
610
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
611 612 613 614
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
S
Steve French 已提交
615
	if (rc)
616 617 618 619 620
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);
621

622 623 624 625 626 627
	/* we will send the SMB in three pieces:
	a fixed length beginning part, an optional
	SPNEGO blob (which can be zero length), and a
	last part which will include the strings
	and rest of bcc area. This allows us to avoid
	a large buffer 17K allocation */
S
Steve French 已提交
628
	iov[0].iov_base = (char *)pSMB;
629
	iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
630

631 632 633 634
	/* setting this here allows the code at the end of the function
	   to free the request buffer if there's an error */
	resp_buf_type = CIFS_SMALL_BUFFER;

635 636
	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
637
	if (str_area == NULL) {
638 639
		rc = -ENOMEM;
		goto ssetup_exit;
640
	}
641
	bcc_ptr = str_area;
642

643 644
	ses->flags &= ~CIFS_SES_LANMAN;

645 646 647
	iov[1].iov_base = NULL;
	iov[1].iov_len = 0;

S
Steve French 已提交
648
	if (type == LANMAN) {
649
#ifdef CONFIG_CIFS_WEAK_PW_HASH
650
		char lnm_session_key[CIFS_AUTH_RESP_SIZE];
651

652 653
		pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;

654 655
		/* no capabilities flags in old lanman negotiation */

656
		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
657

658 659 660 661 662 663
		/* Calculate hash with password and copy into bcc_ptr.
		 * Encryption Key (stored as in cryptkey) gets used if the
		 * security mode bit in Negottiate Protocol response states
		 * to use challenge/response method (i.e. Password bit is 1).
		 */

664
		rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
665
				 ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
666 667
					true : false, lnm_session_key);

S
Steve French 已提交
668
		ses->flags |= CIFS_SES_LANMAN;
669 670
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
671 672 673 674 675 676

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

677
		cFYI(1, "Negotiating LANMAN setting up strings");
678 679
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
S
Steve French 已提交
680
#endif
681 682 683
	} else if (type == NTLM) {
		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
684
			cpu_to_le16(CIFS_AUTH_RESP_SIZE);
685
		pSMB->req_no_secext.CaseSensitivePasswordLength =
686 687 688
			cpu_to_le16(CIFS_AUTH_RESP_SIZE);

		/* calculate ntlm response and session key */
689
		rc = setup_ntlm_response(ses, nls_cp);
690 691 692 693
		if (rc) {
			cERROR(1, "Error %d during NTLM authentication", rc);
			goto ssetup_exit;
		}
694

695 696 697 698 699 700 701
		/* copy ntlm response */
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
				CIFS_AUTH_RESP_SIZE);
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
				CIFS_AUTH_RESP_SIZE);
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
702

S
Steve French 已提交
703
		if (ses->capabilities & CAP_UNICODE) {
704 705 706
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
S
Steve French 已提交
707 708
				bcc_ptr++;
			}
709
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
710
		} else
711 712 713 714 715 716 717
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;

718 719
		/* calculate nlmv2 response and session key */
		rc = setup_ntlmv2_rsp(ses, nls_cp);
720 721 722 723
		if (rc) {
			cERROR(1, "Error %d during NTLMv2 authentication", rc);
			goto ssetup_exit;
		}
724 725 726 727
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
		bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;

728 729 730 731
		/* set case sensitive password length after tilen may get
		 * assigned, tilen is 0 otherwise.
		 */
		pSMB->req_no_secext.CaseSensitivePasswordLength =
732
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
733

S
Steve French 已提交
734 735
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
736
				*bcc_ptr = 0;
737 738
				bcc_ptr++;
			}
739
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
740
		} else
741
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
742
	} else if (type == Kerberos) {
743 744
#ifdef CONFIG_CIFS_UPCALL
		struct cifs_spnego_msg *msg;
745

746 747 748 749 750 751 752 753
		spnego_key = cifs_get_spnego_key(ses);
		if (IS_ERR(spnego_key)) {
			rc = PTR_ERR(spnego_key);
			spnego_key = NULL;
			goto ssetup_exit;
		}

		msg = spnego_key->payload.data;
754 755 756
		/* check version field to make sure that cifs.upcall is
		   sending us a response in an expected form */
		if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
757
			cERROR(1, "incorrect version of cifs.upcall (expected"
758
				   " %d but got %d)",
759
				   CIFS_SPNEGO_UPCALL_VERSION, msg->version);
760 761 762
			rc = -EKEYREJECTED;
			goto ssetup_exit;
		}
763 764 765 766 767 768

		ses->auth_key.response = kmalloc(msg->sesskey_len, GFP_KERNEL);
		if (!ses->auth_key.response) {
			cERROR(1, "Kerberos can't allocate (%u bytes) memory",
					msg->sesskey_len);
			rc = -ENOMEM;
769 770
			goto ssetup_exit;
		}
771
		memcpy(ses->auth_key.response, msg->data, msg->sesskey_len);
772
		ses->auth_key.len = msg->sesskey_len;
773

774 775 776
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
777 778 779 780 781 782
		iov[1].iov_base = msg->data + msg->sesskey_len;
		iov[1].iov_len = msg->secblob_len;
		pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);

		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
783
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
784 785 786 787 788 789 790 791 792
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
			unicode_domain_string(&bcc_ptr, ses, nls_cp);
		} else
		/* BB: is this right? */
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#else /* ! CONFIG_CIFS_UPCALL */
793
		cERROR(1, "Kerberos negotiated but upcall support disabled!");
794 795 796
		rc = -ENOSYS;
		goto ssetup_exit;
#endif /* CONFIG_CIFS_UPCALL */
797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828
	} else if (type == RawNTLMSSP) {
		if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
			cERROR(1, "NTLMSSP requires Unicode support");
			rc = -ENOSYS;
			goto ssetup_exit;
		}

		cFYI(1, "ntlmssp session setup phase %d", phase);
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities |= cpu_to_le32(capabilities);
		switch(phase) {
		case NtLmNegotiate:
			build_ntlmssp_negotiate_blob(
				pSMB->req.SecurityBlob, ses);
			iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
			iov[1].iov_base = pSMB->req.SecurityBlob;
			pSMB->req.SecurityBlobLength =
				cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
			break;
		case NtLmAuthenticate:
			/*
			 * 5 is an empirical value, large enough to hold
			 * authenticate message plus max 10 of av paris,
			 * domain, user, workstation names, flags, etc.
			 */
			ntlmsspblob = kzalloc(
				5*sizeof(struct _AUTHENTICATE_MESSAGE),
				GFP_KERNEL);
			if (!ntlmsspblob) {
				cERROR(1, "Can't allocate NTLMSSP blob");
				rc = -ENOMEM;
829 830 831
				goto ssetup_exit;
			}

832 833 834
			rc = build_ntlmssp_auth_blob(ntlmsspblob,
						&blob_len, ses, nls_cp);
			if (rc)
835
				goto ssetup_exit;
836 837 838 839 840 841 842 843 844 845 846 847
			iov[1].iov_len = blob_len;
			iov[1].iov_base = ntlmsspblob;
			pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
			/*
			 * Make sure that we tell the server that we are using
			 * the uid that it just gave us back on the response
			 * (challenge)
			 */
			smb_buf->Uid = ses->Suid;
			break;
		default:
			cERROR(1, "invalid phase %d", phase);
848 849 850
			rc = -ENOSYS;
			goto ssetup_exit;
		}
851 852 853 854 855 856 857
		/* unicode strings must be word aligned */
		if ((iov[0].iov_len + iov[1].iov_len) % 2) {
			*bcc_ptr = 0;
			bcc_ptr++;
		}
		unicode_oslm_strings(&bcc_ptr, nls_cp);
	} else {
858
		cERROR(1, "secType %d not supported!", type);
859 860
		rc = -ENOSYS;
		goto ssetup_exit;
861 862
	}

863 864 865 866
	iov[2].iov_base = str_area;
	iov[2].iov_len = (long) bcc_ptr - (long) str_area;

	count = iov[1].iov_len + iov[2].iov_len;
867 868
	smb_buf->smb_buf_length =
		cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count);
869

870
	put_bcc(count, smb_buf);
871

872
	rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
873
			  CIFS_LOG_ERROR);
874 875 876 877 878
	/* SMB request buf freed in SendReceive2 */

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

879 880 881
	if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
		if (phase != NtLmNegotiate) {
882
			cERROR(1, "Unexpected more processing error");
883 884 885 886 887 888 889 890 891
			goto ssetup_exit;
		}
		/* NTLMSSP Negotiate sent now processing challenge (response) */
		phase = NtLmChallenge; /* process ntlmssp challenge */
		rc = 0; /* MORE_PROC rc is not an error here, but expected */
	}
	if (rc)
		goto ssetup_exit;

S
Steve French 已提交
892
	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
893
		rc = -EIO;
894
		cERROR(1, "bad word count %d", smb_buf->WordCount);
895 896 897 898
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
899
		cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
900
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
901
	cFYI(1, "UID = %d ", ses->Suid);
902 903
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
904
	bytes_remaining = get_bcc(smb_buf);
905 906
	bcc_ptr = pByteArea(smb_buf);

S
Steve French 已提交
907
	if (smb_buf->WordCount == 4) {
908
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
S
Steve French 已提交
909
		if (blob_len > bytes_remaining) {
910
			cERROR(1, "bad security blob length %d", blob_len);
911 912 913
			rc = -EINVAL;
			goto ssetup_exit;
		}
914 915 916 917 918 919 920
		if (phase == NtLmChallenge) {
			rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
			/* now goto beginning for ntlmssp authenticate phase */
			if (rc)
				goto ssetup_exit;
		}
		bcc_ptr += blob_len;
921
		bytes_remaining -= blob_len;
S
Steve French 已提交
922
	}
923 924

	/* BB check if Unicode and decode strings */
925 926 927
	if (bytes_remaining == 0) {
		/* no string area to decode, do nothing */
	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
928 929 930 931 932
		/* unicode string area must be word-aligned */
		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
			++bcc_ptr;
			--bytes_remaining;
		}
933
		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
934
	} else {
935 936
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
					 ses, nls_cp);
937
	}
938

939
ssetup_exit:
940 941
	if (spnego_key) {
		key_revoke(spnego_key);
942
		key_put(spnego_key);
943
	}
944
	kfree(str_area);
945 946
	kfree(ntlmsspblob);
	ntlmsspblob = NULL;
S
Steve French 已提交
947
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
948
		cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
949
		cifs_small_buf_release(iov[0].iov_base);
S
Steve French 已提交
950
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
951 952
		cifs_buf_release(iov[0].iov_base);

953 954 955 956
	/* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
	if ((phase == NtLmChallenge) && (rc == 0))
		goto ssetup_ntlmssp_authenticate;

957 958
	return rc;
}