sess.c 28.1 KB
Newer Older
1 2 3 4 5
/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
6
 *   Copyright (c) International Business Machines  Corp., 2006, 2009
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
31
#include <linux/utsname.h>
32
#include "cifs_spnego.h"
33 34

extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
S
Steve French 已提交
35
			 unsigned char *p24);
36

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
/* Checks if this is the first smb session to be reconnected after
   the socket has been reestablished (so we know whether to use vc 0).
   Called while holding the cifs_tcp_ses_lock, so do not block */
static bool is_first_ses_reconnect(struct cifsSesInfo *ses)
{
	struct list_head *tmp;
	struct cifsSesInfo *tmp_ses;

	list_for_each(tmp, &ses->server->smb_ses_list) {
		tmp_ses = list_entry(tmp, struct cifsSesInfo,
				     smb_ses_list);
		if (tmp_ses->need_reconnect == false)
			return false;
	}
	/* could not find a session that was already connected,
	   this must be the first one we are reconnecting */
	return true;
}

/*
 *	vc number 0 is treated specially by some servers, and should be the
 *      first one we request.  After that we can use vcnumbers up to maxvcs,
 *	one for each smb session (some Windows versions set maxvcs incorrectly
 *	so maxvc=1 can be ignored).  If we have too many vcs, we can reuse
 *	any vc but zero (some servers reset the connection on vcnum zero)
 *
 */
static __le16 get_next_vcnum(struct cifsSesInfo *ses)
{
	__u16 vcnum = 0;
	struct list_head *tmp;
	struct cifsSesInfo *tmp_ses;
	__u16 max_vcs = ses->server->max_vcs;
	__u16 i;
	int free_vc_found = 0;

	/* Quoting the MS-SMB specification: "Windows-based SMB servers set this
	field to one but do not enforce this limit, which allows an SMB client
	to establish more virtual circuits than allowed by this value ... but
	other server implementations can enforce this limit." */
	if (max_vcs < 2)
		max_vcs = 0xFFFF;

	write_lock(&cifs_tcp_ses_lock);
	if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
			goto get_vc_num_exit;  /* vcnum will be zero */
	for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
		if (i == 0) /* this is the only connection, use vc 0 */
			break;

		free_vc_found = 1;

		list_for_each(tmp, &ses->server->smb_ses_list) {
			tmp_ses = list_entry(tmp, struct cifsSesInfo,
					     smb_ses_list);
			if (tmp_ses->vcnum == i) {
				free_vc_found = 0;
				break; /* found duplicate, try next vcnum */
			}
		}
		if (free_vc_found)
			break; /* we found a vcnumber that will work - use it */
	}

	if (i == 0)
		vcnum = 0; /* for most common case, ie if one smb session, use
			      vc zero.  Also for case when no free vcnum, zero
			      is safest to send (some clients only send zero) */
	else if (free_vc_found == 0)
		vcnum = 1;  /* we can not reuse vc=0 safely, since some servers
				reset all uids on that, but 1 is ok. */
	else
		vcnum = i;
	ses->vcnum = vcnum;
get_vc_num_exit:
	write_unlock(&cifs_tcp_ses_lock);

114
	return cpu_to_le16(vcnum);
115 116
}

117 118 119 120 121
static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
122 123 124 125
	/* Note that offsets for first seven fields in req struct are same  */
	/*	in CIFS Specs so does not matter which of 3 forms of struct */
	/*	that we use in next few lines                               */
	/* Note that header is initialized to zero in header_assemble */
126 127 128
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
129
	pSMB->req.VcNumber = get_next_vcnum(ses);
130 131 132

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

S
Steve French 已提交
133
	/* BB verify whether signing required on neg or just on auth frame
134 135 136 137 138
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

S
Steve French 已提交
139 140
	if (ses->server->secMode &
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
141 142 143 144 145 146 147 148 149 150 151 152 153 154
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
155
	if (ses->capabilities & CAP_UNIX)
156 157 158 159 160
		capabilities |= CAP_UNIX;

	return capabilities;
}

161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206
static void
unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	*pbcc_area = bcc_ptr;
}


S
Steve French 已提交
207
static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
208
				   const struct nls_table *nls_cp)
209
{
S
Steve French 已提交
210
	char *bcc_ptr = *pbcc_area;
211 212 213 214 215
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

216 217
	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
218 219
		*bcc_ptr = 0;
		bcc_ptr++;
220
	} */
221
	/* copy user */
S
Steve French 已提交
222
	if (ses->userName == NULL) {
223 224 225
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
226 227 228 229 230 231 232
	} else { /* 300 should be long enough for any conceivable user name */
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
					  300, nls_cp);
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */

233 234
	unicode_domain_string(&bcc_ptr, ses, nls_cp);
	unicode_oslm_strings(&bcc_ptr, nls_cp);
235 236 237 238

	*pbcc_area = bcc_ptr;
}

S
Steve French 已提交
239
static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
240
				 const struct nls_table *nls_cp)
241
{
S
Steve French 已提交
242
	char *bcc_ptr = *pbcc_area;
243 244 245

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
S
Steve French 已提交
246 247 248 249 250 251
	/* copy user */
	if (ses->userName == NULL) {
		/* BB what about null user mounts - check that we do this BB */
	} else { /* 300 should be long enough for any conceivable user name */
		strncpy(bcc_ptr, ses->userName, 300);
	}
252
	/* BB improve check for overflow */
S
Steve French 已提交
253
	bcc_ptr += strnlen(ses->userName, 300);
254
	*bcc_ptr = 0;
S
Steve French 已提交
255
	bcc_ptr++; /* account for null termination */
256

S
Steve French 已提交
257 258 259 260
	/* copy domain */

	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
261
		bcc_ptr += strnlen(ses->domainName, 256);
S
Steve French 已提交
262
	} /* else we will send a null domain name
263
	     so the server will default to its own domain */
264 265 266 267 268 269 270
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
271 272
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;
273 274 275 276

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

S
Steve French 已提交
277
	*pbcc_area = bcc_ptr;
278 279
}

280 281 282
static void
decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
		      const struct nls_table *nls_cp)
283
{
284
	int len;
S
Steve French 已提交
285
	char *data = *pbcc_area;
286

S
Steve French 已提交
287
	cFYI(1, ("bleft %d", bleft));
288

289 290 291 292 293 294 295 296 297 298 299 300
	/*
	 * Windows servers do not always double null terminate their final
	 * Unicode string. Check to see if there are an uneven number of bytes
	 * left. If so, then add an extra NULL pad byte to the end of the
	 * response.
	 *
	 * See section 2.7.2 in "Implementing CIFS" for details
	 */
	if (bleft % 2) {
		data[bleft] = 0;
		++bleft;
	}
301

302
	kfree(ses->serverOS);
303
	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
304 305 306 307 308 309
	cFYI(1, ("serverOS=%s", ses->serverOS));
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
310

311
	kfree(ses->serverNOS);
312
	ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
313 314 315 316 317 318
	cFYI(1, ("serverNOS=%s", ses->serverNOS));
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
	data += len;
	bleft -= len;
	if (bleft <= 0)
		return;
S
Steve French 已提交
319

320
	kfree(ses->serverDomain);
321
	ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
322
	cFYI(1, ("serverDomain=%s", ses->serverDomain));
S
Steve French 已提交
323

324
	return;
325 326
}

S
Steve French 已提交
327 328 329
static int decode_ascii_ssetup(char **pbcc_area, int bleft,
			       struct cifsSesInfo *ses,
			       const struct nls_table *nls_cp)
330 331 332
{
	int rc = 0;
	int len;
S
Steve French 已提交
333
	char *bcc_ptr = *pbcc_area;
334

S
Steve French 已提交
335
	cFYI(1, ("decode sessetup ascii. bleft %d", bleft));
336

337
	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
338
	if (len >= bleft)
339
		return rc;
340

341
	kfree(ses->serverOS);
342 343

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
344
	if (ses->serverOS)
345
		strncpy(ses->serverOS, bcc_ptr, len);
S
Steve French 已提交
346 347
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
			cFYI(1, ("OS/2 server"));
348 349
			ses->flags |= CIFS_SES_OS2;
	}
350 351 352 353 354

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
355
	if (len >= bleft)
356 357
		return rc;

358
	kfree(ses->serverNOS);
359 360

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
361
	if (ses->serverNOS)
362 363 364 365 366
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

S
Steve French 已提交
367 368 369
	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;
370

371 372 373 374 375
	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
S
Steve French 已提交
376
	cFYI(1, ("ascii: bytes left %d", bleft));
377 378 379 380

	return rc;
}

381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560
static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
				    struct cifsSesInfo *ses)
{
	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;

	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
		cERROR(1, ("challenge blob len %d too small", blob_len));
		return -EINVAL;
	}

	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
		cERROR(1, ("blob signature incorrect %s", pblob->Signature));
		return -EINVAL;
	}
	if (pblob->MessageType != NtLmChallenge) {
		cERROR(1, ("Incorrect message type %d", pblob->MessageType));
		return -EINVAL;
	}

	memcpy(ses->server->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
	/* BB we could decode pblob->NegotiateFlags; some may be useful */
	/* In particular we can examine sign flags */
	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
		we must set the MIC field of the AUTHENTICATE_MESSAGE */

	return 0;
}

#ifdef CONFIG_CIFS_EXPERIMENTAL
/* BB Move to ntlmssp.c eventually */

/* We do not malloc the blob, it is passed in pbuffer, because
   it is fixed size, and small, making this approach cleaner */
static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
					 struct cifsSesInfo *ses)
{
	NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
	__u32 flags;

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmNegotiate;

	/* BB is NTLMV2 session security format easier to use here? */
	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
		NTLMSSP_NEGOTIATE_NT_ONLY | NTLMSSP_NEGOTIATE_NTLM;
	if (ses->server->secMode &
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		flags |= NTLMSSP_NEGOTIATE_SIGN;
	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;

	sec_blob->NegotiateFlags |= cpu_to_le32(flags);

	sec_blob->WorkstationName.BufferOffset = 0;
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;

	/* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
	sec_blob->DomainName.BufferOffset = 0;
	sec_blob->DomainName.Length = 0;
	sec_blob->DomainName.MaximumLength = 0;
}

/* We do not malloc the blob, it is passed in pbuffer, because its
   maximum possible size is fixed and small, making this approach cleaner.
   This function returns the length of the data in the blob */
static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
				   struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp, int first)
{
	AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
	__u32 flags;
	unsigned char *tmp;
	char ntlm_session_key[CIFS_SESS_KEY_SIZE];

	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
	sec_blob->MessageType = NtLmAuthenticate;

	flags = NTLMSSP_NEGOTIATE_56 |
		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
		NTLMSSP_NEGOTIATE_NT_ONLY | NTLMSSP_NEGOTIATE_NTLM;
	if (ses->server->secMode &
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		flags |= NTLMSSP_NEGOTIATE_SIGN;
	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;

	tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
	sec_blob->NegotiateFlags |= cpu_to_le32(flags);

	sec_blob->LmChallengeResponse.BufferOffset =
				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
	sec_blob->LmChallengeResponse.Length = 0;
	sec_blob->LmChallengeResponse.MaximumLength = 0;

	/* calculate session key,  BB what about adding similar ntlmv2 path? */
	SMBNTencrypt(ses->password, ses->server->cryptKey, ntlm_session_key);
	if (first)
		cifs_calculate_mac_key(&ses->server->mac_signing_key,
				       ntlm_session_key, ses->password);

	memcpy(tmp, ntlm_session_key, CIFS_SESS_KEY_SIZE);
	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->NtChallengeResponse.Length = cpu_to_le16(CIFS_SESS_KEY_SIZE);
	sec_blob->NtChallengeResponse.MaximumLength =
				cpu_to_le16(CIFS_SESS_KEY_SIZE);

	tmp += CIFS_SESS_KEY_SIZE;

	if (ses->domainName == NULL) {
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = 0;
		sec_blob->DomainName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
		len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
				    MAX_USERNAME_SIZE, nls_cp);
		len *= 2; /* unicode is 2 bytes each */
		len += 2; /* trailing null */
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->DomainName.Length = cpu_to_le16(len);
		sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	if (ses->userName == NULL) {
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = 0;
		sec_blob->UserName.MaximumLength = 0;
		tmp += 2;
	} else {
		int len;
		len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
				    MAX_USERNAME_SIZE, nls_cp);
		len *= 2; /* unicode is 2 bytes each */
		len += 2; /* trailing null */
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		sec_blob->UserName.Length = cpu_to_le16(len);
		sec_blob->UserName.MaximumLength = cpu_to_le16(len);
		tmp += len;
	}

	sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->WorkstationName.Length = 0;
	sec_blob->WorkstationName.MaximumLength = 0;
	tmp += 2;

	sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
	sec_blob->SessionKey.Length = 0;
	sec_blob->SessionKey.MaximumLength = 0;
	return tmp - pbuffer;
}


static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
				 struct cifsSesInfo *ses)
{
	build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
	pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));

	return;
}

static int setup_ntlmssp_auth_req(SESSION_SETUP_ANDX *pSMB,
				  struct cifsSesInfo *ses,
				  const struct nls_table *nls, int first_time)
{
	int bloblen;

	bloblen = build_ntlmssp_auth_blob(&pSMB->req.SecurityBlob[0], ses, nls,
					  first_time);
	pSMB->req.SecurityBlobLength = cpu_to_le16(bloblen);

	return bloblen;
}
#endif

S
Steve French 已提交
561
int
562 563 564 565 566 567 568
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
		const struct nls_table *nls_cp)
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
569
	char *str_area;
570 571 572
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
573 574
	int resp_buf_type;
	struct kvec iov[3];
575 576 577
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;
578
	struct key *spnego_key = NULL;
579
	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
580

S
Steve French 已提交
581
	if (ses == NULL)
582 583 584
		return -EINVAL;

	type = ses->server->secType;
585

S
Steve French 已提交
586
	cFYI(1, ("sess setup type %d", type));
587 588 589 590
ssetup_ntlmssp_authenticate:
	if (phase == NtLmChallenge)
		phase = NtLmAuthenticate; /* if ntlmssp, now final phase */

S
Steve French 已提交
591
	if (type == LANMAN) {
592 593 594 595 596 597 598 599 600
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
S
Steve French 已提交
601
	} else if ((type == NTLM) || (type == NTLMv2)) {
602
		/* For NTLMv2 failures eventually may need to retry NTLM */
603
		wct = 13; /* old style NTLM sessionsetup */
S
Steve French 已提交
604
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
605 606 607 608
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
S
Steve French 已提交
609
	if (rc)
610 611 612 613 614
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);
615

616 617 618 619 620 621
	/* we will send the SMB in three pieces:
	a fixed length beginning part, an optional
	SPNEGO blob (which can be zero length), and a
	last part which will include the strings
	and rest of bcc area. This allows us to avoid
	a large buffer 17K allocation */
S
Steve French 已提交
622 623
	iov[0].iov_base = (char *)pSMB;
	iov[0].iov_len = smb_buf->smb_buf_length + 4;
624

625 626 627 628
	/* setting this here allows the code at the end of the function
	   to free the request buffer if there's an error */
	resp_buf_type = CIFS_SMALL_BUFFER;

629 630
	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
631
	if (str_area == NULL) {
632 633
		rc = -ENOMEM;
		goto ssetup_exit;
634
	}
635
	bcc_ptr = str_area;
636

637 638
	ses->flags &= ~CIFS_SES_LANMAN;

639 640 641
	iov[1].iov_base = NULL;
	iov[1].iov_len = 0;

S
Steve French 已提交
642
	if (type == LANMAN) {
643
#ifdef CONFIG_CIFS_WEAK_PW_HASH
644
		char lnm_session_key[CIFS_SESS_KEY_SIZE];
645

646 647
		pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;

648 649
		/* no capabilities flags in old lanman negotiation */

S
Steve French 已提交
650
		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
651 652 653
		/* BB calculate hash with password */
		/* and copy into bcc */

654 655 656 657
		calc_lanman_hash(ses->password, ses->server->cryptKey,
				 ses->server->secMode & SECMODE_PW_ENCRYPT ?
					true : false, lnm_session_key);

S
Steve French 已提交
658
		ses->flags |= CIFS_SES_LANMAN;
659 660
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
661 662 663 664 665 666

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

S
Steve French 已提交
667
		cFYI(1, ("Negotiating LANMAN setting up strings"));
668 669
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
S
Steve French 已提交
670
#endif
671
	} else if (type == NTLM) {
672
		char ntlm_session_key[CIFS_SESS_KEY_SIZE];
673 674 675

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
676
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
677
		pSMB->req_no_secext.CaseSensitivePasswordLength =
678
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
679

680 681 682 683
		/* calculate session key */
		SMBNTencrypt(ses->password, ses->server->cryptKey,
			     ntlm_session_key);

S
Steve French 已提交
684
		if (first_time) /* should this be moved into common code
685
				  with similar ntlmv2 path? */
686
			cifs_calculate_mac_key(&ses->server->mac_signing_key,
687 688 689
				ntlm_session_key, ses->password);
		/* copy session key */

S
Steve French 已提交
690
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
691
		bcc_ptr += CIFS_SESS_KEY_SIZE;
S
Steve French 已提交
692
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
693
		bcc_ptr += CIFS_SESS_KEY_SIZE;
S
Steve French 已提交
694
		if (ses->capabilities & CAP_UNICODE) {
695 696 697
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
S
Steve French 已提交
698 699
				bcc_ptr++;
			}
700
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
701
		} else
702 703
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
S
Steve French 已提交
704
		char *v2_sess_key =
S
Steve French 已提交
705
			kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
S
Steve French 已提交
706 707 708

		/* BB FIXME change all users of v2_sess_key to
		   struct ntlmv2_resp */
709

S
Steve French 已提交
710
		if (v2_sess_key == NULL) {
711 712
			rc = -ENOMEM;
			goto ssetup_exit;
713 714 715 716 717 718 719 720 721
		}

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
		/*	cpu_to_le16(LM2_SESS_KEY_SIZE); */

		pSMB->req_no_secext.CaseSensitivePasswordLength =
S
Steve French 已提交
722
			cpu_to_le16(sizeof(struct ntlmv2_resp));
723 724

		/* calculate session key */
S
Steve French 已提交
725
		setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
S
Steve French 已提交
726 727
		if (first_time) /* should this be moved into common code
				   with similar ntlmv2 path? */
728 729 730 731 732 733 734
		/*   cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
				response BB FIXME, v2_sess_key); */

		/* copy session key */

	/*	memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
		bcc_ptr += LM2_SESS_KEY_SIZE; */
S
Steve French 已提交
735 736
		memcpy(bcc_ptr, (char *)v2_sess_key,
		       sizeof(struct ntlmv2_resp));
S
Steve French 已提交
737 738
		bcc_ptr += sizeof(struct ntlmv2_resp);
		kfree(v2_sess_key);
S
Steve French 已提交
739 740
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
741
				*bcc_ptr = 0;
742 743
				bcc_ptr++;
			}
744
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
745
		} else
746
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
747
	} else if (type == Kerberos || type == MSKerberos) {
748 749 750 751 752 753 754 755 756 757
#ifdef CONFIG_CIFS_UPCALL
		struct cifs_spnego_msg *msg;
		spnego_key = cifs_get_spnego_key(ses);
		if (IS_ERR(spnego_key)) {
			rc = PTR_ERR(spnego_key);
			spnego_key = NULL;
			goto ssetup_exit;
		}

		msg = spnego_key->payload.data;
758 759 760 761 762 763 764 765 766
		/* check version field to make sure that cifs.upcall is
		   sending us a response in an expected form */
		if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
			cERROR(1, ("incorrect version of cifs.upcall (expected"
				   " %d but got %d)",
				   CIFS_SPNEGO_UPCALL_VERSION, msg->version));
			rc = -EKEYREJECTED;
			goto ssetup_exit;
		}
767 768 769 770 771 772 773 774
		/* bail out if key is too long */
		if (msg->sesskey_len >
		    sizeof(ses->server->mac_signing_key.data.krb5)) {
			cERROR(1, ("Kerberos signing key too long (%u bytes)",
				msg->sesskey_len));
			rc = -EOVERFLOW;
			goto ssetup_exit;
		}
775 776 777 778 779
		if (first_time) {
			ses->server->mac_signing_key.len = msg->sesskey_len;
			memcpy(ses->server->mac_signing_key.data.krb5,
				msg->data, msg->sesskey_len);
		}
780 781 782
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
783 784 785 786 787 788
		iov[1].iov_base = msg->data + msg->sesskey_len;
		iov[1].iov_len = msg->secblob_len;
		pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);

		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
789
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
790 791 792 793 794 795 796 797 798 799 800 801 802 803
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
			unicode_domain_string(&bcc_ptr, ses, nls_cp);
		} else
		/* BB: is this right? */
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#else /* ! CONFIG_CIFS_UPCALL */
		cERROR(1, ("Kerberos negotiated but upcall support disabled!"));
		rc = -ENOSYS;
		goto ssetup_exit;
#endif /* CONFIG_CIFS_UPCALL */
	} else {
804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842
#ifdef CONFIG_CIFS_EXPERIMENTAL
		if ((experimEnabled > 1) && (type == RawNTLMSSP)) {
			if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
				cERROR(1, ("NTLMSSP requires Unicode support"));
				rc = -ENOSYS;
				goto ssetup_exit;
			}

			cFYI(1, ("ntlmssp session setup phase %d", phase));
			pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
			capabilities |= CAP_EXTENDED_SECURITY;
			pSMB->req.Capabilities |= cpu_to_le32(capabilities);
			if (phase == NtLmNegotiate) {
				setup_ntlmssp_neg_req(pSMB, ses);
				iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
			} else if (phase == NtLmAuthenticate) {
				int blob_len;
				blob_len = setup_ntlmssp_auth_req(pSMB, ses,
								  nls_cp,
								  first_time);
				iov[1].iov_len = blob_len;
			} else {
				cERROR(1, ("invalid phase %d", phase));
				rc = -ENOSYS;
				goto ssetup_exit;
			}
			iov[1].iov_base = &pSMB->req.SecurityBlob[0];
			/* unicode strings must be word aligned */
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
		} else {
			cERROR(1, ("secType %d not supported!", type));
			rc = -ENOSYS;
			goto ssetup_exit;
		}
#else
843 844 845
		cERROR(1, ("secType %d not supported!", type));
		rc = -ENOSYS;
		goto ssetup_exit;
846
#endif
847 848
	}

849 850 851 852
	iov[2].iov_base = str_area;
	iov[2].iov_len = (long) bcc_ptr - (long) str_area;

	count = iov[1].iov_len + iov[2].iov_len;
853 854 855 856
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

857
	rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
858
			  CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
859 860
	/* SMB request buf freed in SendReceive2 */

S
Steve French 已提交
861
	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
862 863 864 865

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

866 867 868 869 870 871 872 873 874 875 876 877 878
	if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
		if (phase != NtLmNegotiate) {
			cERROR(1, ("Unexpected more processing error"));
			goto ssetup_exit;
		}
		/* NTLMSSP Negotiate sent now processing challenge (response) */
		phase = NtLmChallenge; /* process ntlmssp challenge */
		rc = 0; /* MORE_PROC rc is not an error here, but expected */
	}
	if (rc)
		goto ssetup_exit;

S
Steve French 已提交
879
	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
880
		rc = -EIO;
S
Steve French 已提交
881
		cERROR(1, ("bad word count %d", smb_buf->WordCount));
882 883 884 885
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
886
		cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
887 888 889 890 891 892 893
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
	cFYI(1, ("UID = %d ", ses->Suid));
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

S
Steve French 已提交
894
	if (smb_buf->WordCount == 4) {
895 896
		__u16 blob_len;
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
S
Steve French 已提交
897 898
		if (blob_len > bytes_remaining) {
			cERROR(1, ("bad security blob length %d", blob_len));
899 900 901
			rc = -EINVAL;
			goto ssetup_exit;
		}
902 903 904 905 906 907 908
		if (phase == NtLmChallenge) {
			rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
			/* now goto beginning for ntlmssp authenticate phase */
			if (rc)
				goto ssetup_exit;
		}
		bcc_ptr += blob_len;
909
		bytes_remaining -= blob_len;
S
Steve French 已提交
910
	}
911 912

	/* BB check if Unicode and decode strings */
913 914 915 916 917 918
	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
		/* unicode string area must be word-aligned */
		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
			++bcc_ptr;
			--bytes_remaining;
		}
919
		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
920
	} else {
921 922
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
					 ses, nls_cp);
923
	}
924

925
ssetup_exit:
926 927
	if (spnego_key) {
		key_revoke(spnego_key);
928
		key_put(spnego_key);
929
	}
930
	kfree(str_area);
S
Steve French 已提交
931 932
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
		cFYI(1, ("ssetup freeing small buf %p", iov[0].iov_base));
933
		cifs_small_buf_release(iov[0].iov_base);
S
Steve French 已提交
934
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
935 936
		cifs_buf_release(iov[0].iov_base);

937 938 939 940
	/* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
	if ((phase == NtLmChallenge) && (rc == 0))
		goto ssetup_ntlmssp_authenticate;

941 942
	return rc;
}