sess.c 28.2 KB
Newer Older
1 2 3 4 5
/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
6
 *   Copyright (c) International Business Machines  Corp., 2006, 2009
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
31
#include <linux/utsname.h>
32
#include <linux/slab.h>
33
#include "cifs_spnego.h"
34 35

extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
S
Steve French 已提交
36
			 unsigned char *p24);
37

38 39 40 41 42
/*
 * Checks if this is the first smb session to be reconnected after
 * the socket has been reestablished (so we know whether to use vc 0).
 * Called while holding the cifs_tcp_ses_lock, so do not block
 */
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
static bool is_first_ses_reconnect(struct cifsSesInfo *ses)
{
	struct list_head *tmp;
	struct cifsSesInfo *tmp_ses;

	list_for_each(tmp, &ses->server->smb_ses_list) {
		tmp_ses = list_entry(tmp, struct cifsSesInfo,
				     smb_ses_list);
		if (tmp_ses->need_reconnect == false)
			return false;
	}
	/* could not find a session that was already connected,
	   this must be the first one we are reconnecting */
	return true;
}

/*
 *	vc number 0 is treated specially by some servers, and should be the
 *      first one we request.  After that we can use vcnumbers up to maxvcs,
 *	one for each smb session (some Windows versions set maxvcs incorrectly
 *	so maxvc=1 can be ignored).  If we have too many vcs, we can reuse
 *	any vc but zero (some servers reset the connection on vcnum zero)
 *
 */
static __le16 get_next_vcnum(struct cifsSesInfo *ses)
{
	__u16 vcnum = 0;
	struct list_head *tmp;
	struct cifsSesInfo *tmp_ses;
	__u16 max_vcs = ses->server->max_vcs;
	__u16 i;
	int free_vc_found = 0;

	/* Quoting the MS-SMB specification: "Windows-based SMB servers set this
	field to one but do not enforce this limit, which allows an SMB client
	to establish more virtual circuits than allowed by this value ... but
	other server implementations can enforce this limit." */
	if (max_vcs < 2)
		max_vcs = 0xFFFF;

	write_lock(&cifs_tcp_ses_lock);
	if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
			goto get_vc_num_exit;  /* vcnum will be zero */
	for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
		if (i == 0) /* this is the only connection, use vc 0 */
			break;

		free_vc_found = 1;

		list_for_each(tmp, &ses->server->smb_ses_list) {
			tmp_ses = list_entry(tmp, struct cifsSesInfo,
					     smb_ses_list);
			if (tmp_ses->vcnum == i) {
				free_vc_found = 0;
				break; /* found duplicate, try next vcnum */
			}
		}
		if (free_vc_found)
			break; /* we found a vcnumber that will work - use it */
	}

	if (i == 0)
		vcnum = 0; /* for most common case, ie if one smb session, use
			      vc zero.  Also for case when no free vcnum, zero
			      is safest to send (some clients only send zero) */
	else if (free_vc_found == 0)
		vcnum = 1;  /* we can not reuse vc=0 safely, since some servers
				reset all uids on that, but 1 is ok. */
	else
		vcnum = i;
	ses->vcnum = vcnum;
get_vc_num_exit:
	write_unlock(&cifs_tcp_ses_lock);

117
	return cpu_to_le16(vcnum);
118 119
}

120 121 122 123 124
static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
125 126 127 128
	/* Note that offsets for first seven fields in req struct are same  */
	/*	in CIFS Specs so does not matter which of 3 forms of struct */
	/*	that we use in next few lines                               */
	/* Note that header is initialized to zero in header_assemble */
129 130 131
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
132
	pSMB->req.VcNumber = get_next_vcnum(ses);
133 134 135

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

S
Steve French 已提交
136
	/* BB verify whether signing required on neg or just on auth frame
137 138 139 140 141
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

S
Steve French 已提交
142 143
	if (ses->server->secMode &
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
144 145 146 147 148 149 150 151 152 153 154 155 156 157
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
158
	if (ses->capabilities & CAP_UNIX)
159 160 161 162 163
		capabilities |= CAP_UNIX;

	return capabilities;
}

164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209
static void
unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	*pbcc_area = bcc_ptr;
}


S
Steve French 已提交
210
static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
211
				   const struct nls_table *nls_cp)
212
{
S
Steve French 已提交
213
	char *bcc_ptr = *pbcc_area;
214 215 216 217 218
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

219 220
	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
221 222
		*bcc_ptr = 0;
		bcc_ptr++;
223
	} */
224
	/* copy user */
S
Steve French 已提交
225
	if (ses->userName == NULL) {
226 227 228
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
229
	} else {
230
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
231
					  MAX_USERNAME_SIZE, nls_cp);
232 233 234 235
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */

236 237
	unicode_domain_string(&bcc_ptr, ses, nls_cp);
	unicode_oslm_strings(&bcc_ptr, nls_cp);
238 239 240 241

	*pbcc_area = bcc_ptr;
}

S
Steve French 已提交
242
static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
243
				 const struct nls_table *nls_cp)
244
{
S
Steve French 已提交
245
	char *bcc_ptr = *pbcc_area;
246 247 248

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
S
Steve French 已提交
249 250 251
	/* copy user */
	if (ses->userName == NULL) {
		/* BB what about null user mounts - check that we do this BB */
252 253
	} else {
		strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
S
Steve French 已提交
254
	}
255
	bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
256
	*bcc_ptr = 0;
S
Steve French 已提交
257
	bcc_ptr++; /* account for null termination */
258

S
Steve French 已提交
259 260 261 262
	/* copy domain */

	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
263
		bcc_ptr += strnlen(ses->domainName, 256);
S
Steve French 已提交
264
	} /* else we will send a null domain name
265
	     so the server will default to its own domain */
266 267 268 269 270 271 272
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
273 274
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;
275 276 277 278

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

S
Steve French 已提交
279
	*pbcc_area = bcc_ptr;
280 281
}

282 283 284
static void
decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
		      const struct nls_table *nls_cp)
285
{
286
	int len;
S
Steve French 已提交
287
	char *data = *pbcc_area;
288

289
	cFYI(1, "bleft %d", bleft);
290

291 292 293 294 295 296 297 298 299 300 301 302
	/*
	 * Windows servers do not always double null terminate their final
	 * Unicode string. Check to see if there are an uneven number of bytes
	 * left. If so, then add an extra NULL pad byte to the end of the
	 * response.
	 *
	 * See section 2.7.2 in "Implementing CIFS" for details
	 */
	if (bleft % 2) {
		data[bleft] = 0;
		++bleft;
	}
303

304
	kfree(ses->serverOS);
305
	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
306
	cFYI(1, "serverOS=%s", ses->serverOS);
307 308 309 310 311
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
312

313
	kfree(ses->serverNOS);
314
	ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
315
	cFYI(1, "serverNOS=%s", ses->serverNOS);
316 317 318 319 320
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
S
Steve French 已提交
321

322
	kfree(ses->serverDomain);
323
	ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
324
	cFYI(1, "serverDomain=%s", ses->serverDomain);
S
Steve French 已提交
325

326
	return;
327 328
}

S
Steve French 已提交
329 330 331
static int decode_ascii_ssetup(char **pbcc_area, int bleft,
			       struct cifsSesInfo *ses,
			       const struct nls_table *nls_cp)
332 333 334
{
	int rc = 0;
	int len;
S
Steve French 已提交
335
	char *bcc_ptr = *pbcc_area;
336

337
	cFYI(1, "decode sessetup ascii. bleft %d", bleft);
338

339
	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
340
	if (len >= bleft)
341
		return rc;
342

343
	kfree(ses->serverOS);
344 345

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
346
	if (ses->serverOS)
347
		strncpy(ses->serverOS, bcc_ptr, len);
S
Steve French 已提交
348
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
349
			cFYI(1, "OS/2 server");
350 351
			ses->flags |= CIFS_SES_OS2;
	}
352 353 354 355 356

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
357
	if (len >= bleft)
358 359
		return rc;

360
	kfree(ses->serverNOS);
361 362

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
363
	if (ses->serverNOS)
364 365 366 367 368
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

S
Steve French 已提交
369 370 371
	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;
372

373 374 375 376 377
	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
378
	cFYI(1, "ascii: bytes left %d", bleft);
379 380 381 382

	return rc;
}

383 384 385 386 387 388
static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
				    struct cifsSesInfo *ses)
{
	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;

	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
389
		cERROR(1, "challenge blob len %d too small", blob_len);
390 391 392 393
		return -EINVAL;
	}

	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
394
		cERROR(1, "blob signature incorrect %s", pblob->Signature);
395 396 397
		return -EINVAL;
	}
	if (pblob->MessageType != NtLmChallenge) {
398
		cERROR(1, "Incorrect message type %d", pblob->MessageType);
399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451
		return -EINVAL;
	}

	memcpy(ses->server->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
	/* BB we could decode pblob->NegotiateFlags; some may be useful */
	/* In particular we can examine sign flags */
	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
		we must set the MIC field of the AUTHENTICATE_MESSAGE */

	return 0;
}

#ifdef CONFIG_CIFS_EXPERIMENTAL
/* BB Move to ntlmssp.c eventually */

/* We do not malloc the blob, it is passed in pbuffer, because
   it is fixed size, and small, making this approach cleaner */
static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
					 struct cifsSesInfo *ses)
{
	NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
	__u32 flags;

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmNegotiate;

	/* BB is NTLMV2 session security format easier to use here? */
	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
		NTLMSSP_NEGOTIATE_NT_ONLY | NTLMSSP_NEGOTIATE_NTLM;
	if (ses->server->secMode &
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		flags |= NTLMSSP_NEGOTIATE_SIGN;
	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;

	sec_blob->NegotiateFlags |= cpu_to_le32(flags);

	sec_blob->WorkstationName.BufferOffset = 0;
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;

	/* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
	sec_blob->DomainName.BufferOffset = 0;
	sec_blob->DomainName.Length = 0;
	sec_blob->DomainName.MaximumLength = 0;
}

/* We do not malloc the blob, it is passed in pbuffer, because its
   maximum possible size is fixed and small, making this approach cleaner.
   This function returns the length of the data in the blob */
static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
				   struct cifsSesInfo *ses,
452
				   const struct nls_table *nls_cp, bool first)
453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550
{
	AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
	__u32 flags;
	unsigned char *tmp;
	char ntlm_session_key[CIFS_SESS_KEY_SIZE];

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmAuthenticate;

	flags = NTLMSSP_NEGOTIATE_56 |
		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
		NTLMSSP_NEGOTIATE_NT_ONLY | NTLMSSP_NEGOTIATE_NTLM;
	if (ses->server->secMode &
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		flags |= NTLMSSP_NEGOTIATE_SIGN;
	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;

	tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
	sec_blob->NegotiateFlags |= cpu_to_le32(flags);

	sec_blob->LmChallengeResponse.BufferOffset =
				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
	sec_blob->LmChallengeResponse.Length = 0;
	sec_blob->LmChallengeResponse.MaximumLength = 0;

	/* calculate session key,  BB what about adding similar ntlmv2 path? */
	SMBNTencrypt(ses->password, ses->server->cryptKey, ntlm_session_key);
	if (first)
		cifs_calculate_mac_key(&ses->server->mac_signing_key,
				       ntlm_session_key, ses->password);

	memcpy(tmp, ntlm_session_key, CIFS_SESS_KEY_SIZE);
	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->NtChallengeResponse.Length = cpu_to_le16(CIFS_SESS_KEY_SIZE);
	sec_blob->NtChallengeResponse.MaximumLength =
				cpu_to_le16(CIFS_SESS_KEY_SIZE);

	tmp += CIFS_SESS_KEY_SIZE;

	if (ses->domainName == NULL) {
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = 0;
		sec_blob->DomainName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
		len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
				    MAX_USERNAME_SIZE, nls_cp);
		len *= 2; /* unicode is 2 bytes each */
		len += 2; /* trailing null */
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = cpu_to_le16(len);
		sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	if (ses->userName == NULL) {
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = 0;
		sec_blob->UserName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
		len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
				    MAX_USERNAME_SIZE, nls_cp);
		len *= 2; /* unicode is 2 bytes each */
		len += 2; /* trailing null */
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = cpu_to_le16(len);
		sec_blob->UserName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;
	tmp += 2;

	sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->SessionKey.Length = 0;
	sec_blob->SessionKey.MaximumLength = 0;
	return tmp - pbuffer;
}


static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
				 struct cifsSesInfo *ses)
{
	build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
	pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));

	return;
}

static int setup_ntlmssp_auth_req(SESSION_SETUP_ANDX *pSMB,
				  struct cifsSesInfo *ses,
551
				  const struct nls_table *nls, bool first_time)
552 553 554 555 556 557 558 559 560 561 562
{
	int bloblen;

	bloblen = build_ntlmssp_auth_blob(&pSMB->req.SecurityBlob[0], ses, nls,
					  first_time);
	pSMB->req.SecurityBlobLength = cpu_to_le16(bloblen);

	return bloblen;
}
#endif

S
Steve French 已提交
563
int
564 565
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
	       const struct nls_table *nls_cp)
566 567 568 569 570
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
571
	char *str_area;
572 573 574
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
575 576
	int resp_buf_type;
	struct kvec iov[3];
577 578 579
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;
580
	struct key *spnego_key = NULL;
581
	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
582
	bool first_time;
583

S
Steve French 已提交
584
	if (ses == NULL)
585 586
		return -EINVAL;

587 588 589 590
	read_lock(&cifs_tcp_ses_lock);
	first_time = is_first_ses_reconnect(ses);
	read_unlock(&cifs_tcp_ses_lock);

591
	type = ses->server->secType;
592

593
	cFYI(1, "sess setup type %d", type);
594 595 596 597
ssetup_ntlmssp_authenticate:
	if (phase == NtLmChallenge)
		phase = NtLmAuthenticate; /* if ntlmssp, now final phase */

S
Steve French 已提交
598
	if (type == LANMAN) {
599 600 601 602 603 604 605 606 607
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
S
Steve French 已提交
608
	} else if ((type == NTLM) || (type == NTLMv2)) {
609
		/* For NTLMv2 failures eventually may need to retry NTLM */
610
		wct = 13; /* old style NTLM sessionsetup */
S
Steve French 已提交
611
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
612 613 614 615
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
S
Steve French 已提交
616
	if (rc)
617 618 619 620 621
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);
622

623 624 625 626 627 628
	/* we will send the SMB in three pieces:
	a fixed length beginning part, an optional
	SPNEGO blob (which can be zero length), and a
	last part which will include the strings
	and rest of bcc area. This allows us to avoid
	a large buffer 17K allocation */
S
Steve French 已提交
629 630
	iov[0].iov_base = (char *)pSMB;
	iov[0].iov_len = smb_buf->smb_buf_length + 4;
631

632 633 634 635
	/* setting this here allows the code at the end of the function
	   to free the request buffer if there's an error */
	resp_buf_type = CIFS_SMALL_BUFFER;

636 637
	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
638
	if (str_area == NULL) {
639 640
		rc = -ENOMEM;
		goto ssetup_exit;
641
	}
642
	bcc_ptr = str_area;
643

644 645
	ses->flags &= ~CIFS_SES_LANMAN;

646 647 648
	iov[1].iov_base = NULL;
	iov[1].iov_len = 0;

S
Steve French 已提交
649
	if (type == LANMAN) {
650
#ifdef CONFIG_CIFS_WEAK_PW_HASH
651
		char lnm_session_key[CIFS_SESS_KEY_SIZE];
652

653 654
		pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;

655 656
		/* no capabilities flags in old lanman negotiation */

S
Steve French 已提交
657
		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
658 659 660
		/* BB calculate hash with password */
		/* and copy into bcc */

661 662 663 664
		calc_lanman_hash(ses->password, ses->server->cryptKey,
				 ses->server->secMode & SECMODE_PW_ENCRYPT ?
					true : false, lnm_session_key);

S
Steve French 已提交
665
		ses->flags |= CIFS_SES_LANMAN;
666 667
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
668 669 670 671 672 673

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

674
		cFYI(1, "Negotiating LANMAN setting up strings");
675 676
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
S
Steve French 已提交
677
#endif
678
	} else if (type == NTLM) {
679
		char ntlm_session_key[CIFS_SESS_KEY_SIZE];
680 681 682

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
683
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
684
		pSMB->req_no_secext.CaseSensitivePasswordLength =
685
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
686

687 688 689 690
		/* calculate session key */
		SMBNTencrypt(ses->password, ses->server->cryptKey,
			     ntlm_session_key);

S
Steve French 已提交
691
		if (first_time) /* should this be moved into common code
692
				  with similar ntlmv2 path? */
693
			cifs_calculate_mac_key(&ses->server->mac_signing_key,
694 695 696
				ntlm_session_key, ses->password);
		/* copy session key */

S
Steve French 已提交
697
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
698
		bcc_ptr += CIFS_SESS_KEY_SIZE;
S
Steve French 已提交
699
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
700
		bcc_ptr += CIFS_SESS_KEY_SIZE;
S
Steve French 已提交
701
		if (ses->capabilities & CAP_UNICODE) {
702 703 704
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
S
Steve French 已提交
705 706
				bcc_ptr++;
			}
707
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
708
		} else
709 710
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
S
Steve French 已提交
711
		char *v2_sess_key =
S
Steve French 已提交
712
			kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
S
Steve French 已提交
713 714 715

		/* BB FIXME change all users of v2_sess_key to
		   struct ntlmv2_resp */
716

S
Steve French 已提交
717
		if (v2_sess_key == NULL) {
718 719
			rc = -ENOMEM;
			goto ssetup_exit;
720 721 722 723 724 725 726 727 728
		}

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
		/*	cpu_to_le16(LM2_SESS_KEY_SIZE); */

		pSMB->req_no_secext.CaseSensitivePasswordLength =
S
Steve French 已提交
729
			cpu_to_le16(sizeof(struct ntlmv2_resp));
730 731

		/* calculate session key */
S
Steve French 已提交
732
		setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
S
Steve French 已提交
733 734
		if (first_time) /* should this be moved into common code
				   with similar ntlmv2 path? */
735 736 737 738 739 740 741
		/*   cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
				response BB FIXME, v2_sess_key); */

		/* copy session key */

	/*	memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
		bcc_ptr += LM2_SESS_KEY_SIZE; */
S
Steve French 已提交
742 743
		memcpy(bcc_ptr, (char *)v2_sess_key,
		       sizeof(struct ntlmv2_resp));
S
Steve French 已提交
744 745
		bcc_ptr += sizeof(struct ntlmv2_resp);
		kfree(v2_sess_key);
S
Steve French 已提交
746 747
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
748
				*bcc_ptr = 0;
749 750
				bcc_ptr++;
			}
751
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
752
		} else
753
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
754
	} else if (type == Kerberos || type == MSKerberos) {
755 756 757 758 759 760 761 762 763 764
#ifdef CONFIG_CIFS_UPCALL
		struct cifs_spnego_msg *msg;
		spnego_key = cifs_get_spnego_key(ses);
		if (IS_ERR(spnego_key)) {
			rc = PTR_ERR(spnego_key);
			spnego_key = NULL;
			goto ssetup_exit;
		}

		msg = spnego_key->payload.data;
765 766 767
		/* check version field to make sure that cifs.upcall is
		   sending us a response in an expected form */
		if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
768
			cERROR(1, "incorrect version of cifs.upcall (expected"
769
				   " %d but got %d)",
770
				   CIFS_SPNEGO_UPCALL_VERSION, msg->version);
771 772 773
			rc = -EKEYREJECTED;
			goto ssetup_exit;
		}
774 775 776
		/* bail out if key is too long */
		if (msg->sesskey_len >
		    sizeof(ses->server->mac_signing_key.data.krb5)) {
777 778
			cERROR(1, "Kerberos signing key too long (%u bytes)",
				msg->sesskey_len);
779 780 781
			rc = -EOVERFLOW;
			goto ssetup_exit;
		}
782 783 784 785 786
		if (first_time) {
			ses->server->mac_signing_key.len = msg->sesskey_len;
			memcpy(ses->server->mac_signing_key.data.krb5,
				msg->data, msg->sesskey_len);
		}
787 788 789
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
790 791 792 793 794 795
		iov[1].iov_base = msg->data + msg->sesskey_len;
		iov[1].iov_len = msg->secblob_len;
		pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);

		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
796
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
797 798 799 800 801 802 803 804 805
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
			unicode_domain_string(&bcc_ptr, ses, nls_cp);
		} else
		/* BB: is this right? */
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#else /* ! CONFIG_CIFS_UPCALL */
806
		cERROR(1, "Kerberos negotiated but upcall support disabled!");
807 808 809 810
		rc = -ENOSYS;
		goto ssetup_exit;
#endif /* CONFIG_CIFS_UPCALL */
	} else {
811
#ifdef CONFIG_CIFS_EXPERIMENTAL
812
		if (type == RawNTLMSSP) {
813
			if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
814
				cERROR(1, "NTLMSSP requires Unicode support");
815 816 817 818
				rc = -ENOSYS;
				goto ssetup_exit;
			}

819
			cFYI(1, "ntlmssp session setup phase %d", phase);
820 821 822 823 824 825 826 827 828 829 830 831
			pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
			capabilities |= CAP_EXTENDED_SECURITY;
			pSMB->req.Capabilities |= cpu_to_le32(capabilities);
			if (phase == NtLmNegotiate) {
				setup_ntlmssp_neg_req(pSMB, ses);
				iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
			} else if (phase == NtLmAuthenticate) {
				int blob_len;
				blob_len = setup_ntlmssp_auth_req(pSMB, ses,
								  nls_cp,
								  first_time);
				iov[1].iov_len = blob_len;
832 833 834 835
				/* Make sure that we tell the server that we
				   are using the uid that it just gave us back
				   on the response (challenge) */
				smb_buf->Uid = ses->Suid;
836
			} else {
837
				cERROR(1, "invalid phase %d", phase);
838 839 840 841 842 843 844 845 846 847 848
				rc = -ENOSYS;
				goto ssetup_exit;
			}
			iov[1].iov_base = &pSMB->req.SecurityBlob[0];
			/* unicode strings must be word aligned */
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
		} else {
849
			cERROR(1, "secType %d not supported!", type);
850 851 852 853
			rc = -ENOSYS;
			goto ssetup_exit;
		}
#else
854
		cERROR(1, "secType %d not supported!", type);
855 856
		rc = -ENOSYS;
		goto ssetup_exit;
857
#endif
858 859
	}

860 861 862 863
	iov[2].iov_base = str_area;
	iov[2].iov_len = (long) bcc_ptr - (long) str_area;

	count = iov[1].iov_len + iov[2].iov_len;
864 865 866 867
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

868
	rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
869
			  CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
870 871
	/* SMB request buf freed in SendReceive2 */

872
	cFYI(1, "ssetup rc from sendrecv2 is %d", rc);
873 874 875 876

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

877 878 879
	if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
		if (phase != NtLmNegotiate) {
880
			cERROR(1, "Unexpected more processing error");
881 882 883 884 885 886 887 888 889
			goto ssetup_exit;
		}
		/* NTLMSSP Negotiate sent now processing challenge (response) */
		phase = NtLmChallenge; /* process ntlmssp challenge */
		rc = 0; /* MORE_PROC rc is not an error here, but expected */
	}
	if (rc)
		goto ssetup_exit;

S
Steve French 已提交
890
	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
891
		rc = -EIO;
892
		cERROR(1, "bad word count %d", smb_buf->WordCount);
893 894 895 896
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
897
		cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
898
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
899
	cFYI(1, "UID = %d ", ses->Suid);
900 901 902 903 904
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

S
Steve French 已提交
905
	if (smb_buf->WordCount == 4) {
906 907
		__u16 blob_len;
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
S
Steve French 已提交
908
		if (blob_len > bytes_remaining) {
909
			cERROR(1, "bad security blob length %d", blob_len);
910 911 912
			rc = -EINVAL;
			goto ssetup_exit;
		}
913 914 915 916 917 918 919
		if (phase == NtLmChallenge) {
			rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
			/* now goto beginning for ntlmssp authenticate phase */
			if (rc)
				goto ssetup_exit;
		}
		bcc_ptr += blob_len;
920
		bytes_remaining -= blob_len;
S
Steve French 已提交
921
	}
922 923

	/* BB check if Unicode and decode strings */
924 925 926 927 928 929
	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
		/* unicode string area must be word-aligned */
		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
			++bcc_ptr;
			--bytes_remaining;
		}
930
		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
931
	} else {
932 933
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
					 ses, nls_cp);
934
	}
935

936
ssetup_exit:
937 938
	if (spnego_key) {
		key_revoke(spnego_key);
939
		key_put(spnego_key);
940
	}
941
	kfree(str_area);
S
Steve French 已提交
942
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
943
		cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
944
		cifs_small_buf_release(iov[0].iov_base);
S
Steve French 已提交
945
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
946 947
		cifs_buf_release(iov[0].iov_base);

948 949 950 951
	/* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
	if ((phase == NtLmChallenge) && (rc == 0))
		goto ssetup_ntlmssp_authenticate;

952 953
	return rc;
}