~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/fs/cifs/sess.c

Version: ~ [ linux-5.8-rc4 ] ~ [ linux-5.7.7 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.50 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.131 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.187 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.229 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.229 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *   fs/cifs/sess.c
  3  *
  4  *   SMB/CIFS session setup handling routines
  5  *
  6  *   Copyright (c) International Business Machines  Corp., 2006, 2009
  7  *   Author(s): Steve French (sfrench@us.ibm.com)
  8  *
  9  *   This library is free software; you can redistribute it and/or modify
 10  *   it under the terms of the GNU Lesser General Public License as published
 11  *   by the Free Software Foundation; either version 2.1 of the License, or
 12  *   (at your option) any later version.
 13  *
 14  *   This library is distributed in the hope that it will be useful,
 15  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 16  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 17  *   the GNU Lesser General Public License for more details.
 18  *
 19  *   You should have received a copy of the GNU Lesser General Public License
 20  *   along with this library; if not, write to the Free Software
 21  *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 22  */
 23 
 24 #include "cifspdu.h"
 25 #include "cifsglob.h"
 26 #include "cifsproto.h"
 27 #include "cifs_unicode.h"
 28 #include "cifs_debug.h"
 29 #include "ntlmssp.h"
 30 #include "nterr.h"
 31 #include <linux/utsname.h>
 32 #include <linux/slab.h>
 33 #include "cifs_spnego.h"
 34 
 35 static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
 36 {
 37         __u32 capabilities = 0;
 38 
 39         /* init fields common to all four types of SessSetup */
 40         /* Note that offsets for first seven fields in req struct are same  */
 41         /*      in CIFS Specs so does not matter which of 3 forms of struct */
 42         /*      that we use in next few lines                               */
 43         /* Note that header is initialized to zero in header_assemble */
 44         pSMB->req.AndXCommand = 0xFF;
 45         pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
 46                                         CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
 47                                         USHRT_MAX));
 48         pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
 49         pSMB->req.VcNumber = cpu_to_le16(1);
 50 
 51         /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
 52 
 53         /* BB verify whether signing required on neg or just on auth frame
 54            (and NTLM case) */
 55 
 56         capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
 57                         CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
 58 
 59         if (ses->server->sign)
 60                 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
 61 
 62         if (ses->capabilities & CAP_UNICODE) {
 63                 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
 64                 capabilities |= CAP_UNICODE;
 65         }
 66         if (ses->capabilities & CAP_STATUS32) {
 67                 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
 68                 capabilities |= CAP_STATUS32;
 69         }
 70         if (ses->capabilities & CAP_DFS) {
 71                 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
 72                 capabilities |= CAP_DFS;
 73         }
 74         if (ses->capabilities & CAP_UNIX)
 75                 capabilities |= CAP_UNIX;
 76 
 77         return capabilities;
 78 }
 79 
 80 static void
 81 unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
 82 {
 83         char *bcc_ptr = *pbcc_area;
 84         int bytes_ret = 0;
 85 
 86         /* Copy OS version */
 87         bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
 88                                     nls_cp);
 89         bcc_ptr += 2 * bytes_ret;
 90         bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
 91                                     32, nls_cp);
 92         bcc_ptr += 2 * bytes_ret;
 93         bcc_ptr += 2; /* trailing null */
 94 
 95         bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
 96                                     32, nls_cp);
 97         bcc_ptr += 2 * bytes_ret;
 98         bcc_ptr += 2; /* trailing null */
 99 
100         *pbcc_area = bcc_ptr;
101 }
102 
103 static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
104                                    const struct nls_table *nls_cp)
105 {
106         char *bcc_ptr = *pbcc_area;
107         int bytes_ret = 0;
108 
109         /* copy domain */
110         if (ses->domainName == NULL) {
111                 /* Sending null domain better than using a bogus domain name (as
112                 we did briefly in 2.6.18) since server will use its default */
113                 *bcc_ptr = 0;
114                 *(bcc_ptr+1) = 0;
115                 bytes_ret = 0;
116         } else
117                 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
118                                             CIFS_MAX_DOMAINNAME_LEN, nls_cp);
119         bcc_ptr += 2 * bytes_ret;
120         bcc_ptr += 2;  /* account for null terminator */
121 
122         *pbcc_area = bcc_ptr;
123 }
124 
125 
126 static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
127                                    const struct nls_table *nls_cp)
128 {
129         char *bcc_ptr = *pbcc_area;
130         int bytes_ret = 0;
131 
132         /* BB FIXME add check that strings total less
133         than 335 or will need to send them as arrays */
134 
135         /* unicode strings, must be word aligned before the call */
136 /*      if ((long) bcc_ptr % 2) {
137                 *bcc_ptr = 0;
138                 bcc_ptr++;
139         } */
140         /* copy user */
141         if (ses->user_name == NULL) {
142                 /* null user mount */
143                 *bcc_ptr = 0;
144                 *(bcc_ptr+1) = 0;
145         } else {
146                 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
147                                             CIFS_MAX_USERNAME_LEN, nls_cp);
148         }
149         bcc_ptr += 2 * bytes_ret;
150         bcc_ptr += 2; /* account for null termination */
151 
152         unicode_domain_string(&bcc_ptr, ses, nls_cp);
153         unicode_oslm_strings(&bcc_ptr, nls_cp);
154 
155         *pbcc_area = bcc_ptr;
156 }
157 
158 static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
159                                  const struct nls_table *nls_cp)
160 {
161         char *bcc_ptr = *pbcc_area;
162 
163         /* copy user */
164         /* BB what about null user mounts - check that we do this BB */
165         /* copy user */
166         if (ses->user_name != NULL) {
167                 strncpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
168                 bcc_ptr += strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
169         }
170         /* else null user mount */
171         *bcc_ptr = 0;
172         bcc_ptr++; /* account for null termination */
173 
174         /* copy domain */
175         if (ses->domainName != NULL) {
176                 strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
177                 bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
178         } /* else we will send a null domain name
179              so the server will default to its own domain */
180         *bcc_ptr = 0;
181         bcc_ptr++;
182 
183         /* BB check for overflow here */
184 
185         strcpy(bcc_ptr, "Linux version ");
186         bcc_ptr += strlen("Linux version ");
187         strcpy(bcc_ptr, init_utsname()->release);
188         bcc_ptr += strlen(init_utsname()->release) + 1;
189 
190         strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
191         bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
192 
193         *pbcc_area = bcc_ptr;
194 }
195 
196 static void
197 decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
198                       const struct nls_table *nls_cp)
199 {
200         int len;
201         char *data = *pbcc_area;
202 
203         cifs_dbg(FYI, "bleft %d\n", bleft);
204 
205         kfree(ses->serverOS);
206         ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
207         cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
208         len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
209         data += len;
210         bleft -= len;
211         if (bleft <= 0)
212                 return;
213 
214         kfree(ses->serverNOS);
215         ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
216         cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
217         len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
218         data += len;
219         bleft -= len;
220         if (bleft <= 0)
221                 return;
222 
223         kfree(ses->serverDomain);
224         ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
225         cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
226 
227         return;
228 }
229 
230 static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
231                                 struct cifs_ses *ses,
232                                 const struct nls_table *nls_cp)
233 {
234         int len;
235         char *bcc_ptr = *pbcc_area;
236 
237         cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
238 
239         len = strnlen(bcc_ptr, bleft);
240         if (len >= bleft)
241                 return;
242 
243         kfree(ses->serverOS);
244 
245         ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
246         if (ses->serverOS) {
247                 strncpy(ses->serverOS, bcc_ptr, len);
248                 if (strncmp(ses->serverOS, "OS/2", 4) == 0)
249                         cifs_dbg(FYI, "OS/2 server\n");
250         }
251 
252         bcc_ptr += len + 1;
253         bleft -= len + 1;
254 
255         len = strnlen(bcc_ptr, bleft);
256         if (len >= bleft)
257                 return;
258 
259         kfree(ses->serverNOS);
260 
261         ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
262         if (ses->serverNOS)
263                 strncpy(ses->serverNOS, bcc_ptr, len);
264 
265         bcc_ptr += len + 1;
266         bleft -= len + 1;
267 
268         len = strnlen(bcc_ptr, bleft);
269         if (len > bleft)
270                 return;
271 
272         /* No domain field in LANMAN case. Domain is
273            returned by old servers in the SMB negprot response */
274         /* BB For newer servers which do not support Unicode,
275            but thus do return domain here we could add parsing
276            for it later, but it is not very important */
277         cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
278 }
279 
280 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
281                                     struct cifs_ses *ses)
282 {
283         unsigned int tioffset; /* challenge message target info area */
284         unsigned int tilen; /* challenge message target info area length  */
285 
286         CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
287 
288         if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
289                 cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
290                 return -EINVAL;
291         }
292 
293         if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
294                 cifs_dbg(VFS, "blob signature incorrect %s\n",
295                          pblob->Signature);
296                 return -EINVAL;
297         }
298         if (pblob->MessageType != NtLmChallenge) {
299                 cifs_dbg(VFS, "Incorrect message type %d\n",
300                          pblob->MessageType);
301                 return -EINVAL;
302         }
303 
304         memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
305         /* BB we could decode pblob->NegotiateFlags; some may be useful */
306         /* In particular we can examine sign flags */
307         /* BB spec says that if AvId field of MsvAvTimestamp is populated then
308                 we must set the MIC field of the AUTHENTICATE_MESSAGE */
309         ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
310         tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
311         tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
312         if (tioffset > blob_len || tioffset + tilen > blob_len) {
313                 cifs_dbg(VFS, "tioffset + tilen too high %u + %u",
314                         tioffset, tilen);
315                 return -EINVAL;
316         }
317         if (tilen) {
318                 ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
319                                                  GFP_KERNEL);
320                 if (!ses->auth_key.response) {
321                         cifs_dbg(VFS, "Challenge target info alloc failure");
322                         return -ENOMEM;
323                 }
324                 ses->auth_key.len = tilen;
325         }
326 
327         return 0;
328 }
329 
330 /* BB Move to ntlmssp.c eventually */
331 
332 /* We do not malloc the blob, it is passed in pbuffer, because
333    it is fixed size, and small, making this approach cleaner */
334 void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
335                                          struct cifs_ses *ses)
336 {
337         NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
338         __u32 flags;
339 
340         memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
341         memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
342         sec_blob->MessageType = NtLmNegotiate;
343 
344         /* BB is NTLMV2 session security format easier to use here? */
345         flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
346                 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
347                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
348         if (ses->server->sign) {
349                 flags |= NTLMSSP_NEGOTIATE_SIGN;
350                 if (!ses->server->session_estab ||
351                                 ses->ntlmssp->sesskey_per_smbsess)
352                         flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
353         }
354 
355         sec_blob->NegotiateFlags = cpu_to_le32(flags);
356 
357         sec_blob->WorkstationName.BufferOffset = 0;
358         sec_blob->WorkstationName.Length = 0;
359         sec_blob->WorkstationName.MaximumLength = 0;
360 
361         /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
362         sec_blob->DomainName.BufferOffset = 0;
363         sec_blob->DomainName.Length = 0;
364         sec_blob->DomainName.MaximumLength = 0;
365 }
366 
367 /* We do not malloc the blob, it is passed in pbuffer, because its
368    maximum possible size is fixed and small, making this approach cleaner.
369    This function returns the length of the data in the blob */
370 int build_ntlmssp_auth_blob(unsigned char *pbuffer,
371                                         u16 *buflen,
372                                    struct cifs_ses *ses,
373                                    const struct nls_table *nls_cp)
374 {
375         int rc;
376         AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
377         __u32 flags;
378         unsigned char *tmp;
379 
380         memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
381         sec_blob->MessageType = NtLmAuthenticate;
382 
383         flags = NTLMSSP_NEGOTIATE_56 |
384                 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
385                 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
386                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
387         if (ses->server->sign) {
388                 flags |= NTLMSSP_NEGOTIATE_SIGN;
389                 if (!ses->server->session_estab ||
390                                 ses->ntlmssp->sesskey_per_smbsess)
391                         flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
392         }
393 
394         tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
395         sec_blob->NegotiateFlags = cpu_to_le32(flags);
396 
397         sec_blob->LmChallengeResponse.BufferOffset =
398                                 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
399         sec_blob->LmChallengeResponse.Length = 0;
400         sec_blob->LmChallengeResponse.MaximumLength = 0;
401 
402         sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
403         rc = setup_ntlmv2_rsp(ses, nls_cp);
404         if (rc) {
405                 cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
406                 goto setup_ntlmv2_ret;
407         }
408         memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
409                         ses->auth_key.len - CIFS_SESS_KEY_SIZE);
410         tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
411 
412         sec_blob->NtChallengeResponse.Length =
413                         cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
414         sec_blob->NtChallengeResponse.MaximumLength =
415                         cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
416 
417         if (ses->domainName == NULL) {
418                 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
419                 sec_blob->DomainName.Length = 0;
420                 sec_blob->DomainName.MaximumLength = 0;
421                 tmp += 2;
422         } else {
423                 int len;
424                 len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
425                                       CIFS_MAX_USERNAME_LEN, nls_cp);
426                 len *= 2; /* unicode is 2 bytes each */
427                 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
428                 sec_blob->DomainName.Length = cpu_to_le16(len);
429                 sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
430                 tmp += len;
431         }
432 
433         if (ses->user_name == NULL) {
434                 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
435                 sec_blob->UserName.Length = 0;
436                 sec_blob->UserName.MaximumLength = 0;
437                 tmp += 2;
438         } else {
439                 int len;
440                 len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name,
441                                       CIFS_MAX_USERNAME_LEN, nls_cp);
442                 len *= 2; /* unicode is 2 bytes each */
443                 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
444                 sec_blob->UserName.Length = cpu_to_le16(len);
445                 sec_blob->UserName.MaximumLength = cpu_to_le16(len);
446                 tmp += len;
447         }
448 
449         sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
450         sec_blob->WorkstationName.Length = 0;
451         sec_blob->WorkstationName.MaximumLength = 0;
452         tmp += 2;
453 
454         if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
455                 (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
456                         && !calc_seckey(ses)) {
457                 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
458                 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
459                 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
460                 sec_blob->SessionKey.MaximumLength =
461                                 cpu_to_le16(CIFS_CPHTXT_SIZE);
462                 tmp += CIFS_CPHTXT_SIZE;
463         } else {
464                 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
465                 sec_blob->SessionKey.Length = 0;
466                 sec_blob->SessionKey.MaximumLength = 0;
467         }
468 
469 setup_ntlmv2_ret:
470         *buflen = tmp - pbuffer;
471         return rc;
472 }
473 
474 enum securityEnum
475 select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
476 {
477         switch (server->negflavor) {
478         case CIFS_NEGFLAVOR_EXTENDED:
479                 switch (requested) {
480                 case Kerberos:
481                 case RawNTLMSSP:
482                         return requested;
483                 case Unspecified:
484                         if (server->sec_ntlmssp &&
485                             (global_secflags & CIFSSEC_MAY_NTLMSSP))
486                                 return RawNTLMSSP;
487                         if ((server->sec_kerberos || server->sec_mskerberos) &&
488                             (global_secflags & CIFSSEC_MAY_KRB5))
489                                 return Kerberos;
490                         /* Fallthrough */
491                 default:
492                         return Unspecified;
493                 }
494         case CIFS_NEGFLAVOR_UNENCAP:
495                 switch (requested) {
496                 case NTLM:
497                 case NTLMv2:
498                         return requested;
499                 case Unspecified:
500                         if (global_secflags & CIFSSEC_MAY_NTLMV2)
501                                 return NTLMv2;
502                         if (global_secflags & CIFSSEC_MAY_NTLM)
503                                 return NTLM;
504                 default:
505                         /* Fallthrough to attempt LANMAN authentication next */
506                         break;
507                 }
508         case CIFS_NEGFLAVOR_LANMAN:
509                 switch (requested) {
510                 case LANMAN:
511                         return requested;
512                 case Unspecified:
513                         if (global_secflags & CIFSSEC_MAY_LANMAN)
514                                 return LANMAN;
515                         /* Fallthrough */
516                 default:
517                         return Unspecified;
518                 }
519         default:
520                 return Unspecified;
521         }
522 }
523 
524 struct sess_data {
525         unsigned int xid;
526         struct cifs_ses *ses;
527         struct nls_table *nls_cp;
528         void (*func)(struct sess_data *);
529         int result;
530 
531         /* we will send the SMB in three pieces:
532          * a fixed length beginning part, an optional
533          * SPNEGO blob (which can be zero length), and a
534          * last part which will include the strings
535          * and rest of bcc area. This allows us to avoid
536          * a large buffer 17K allocation
537          */
538         int buf0_type;
539         struct kvec iov[3];
540 };
541 
542 static int
543 sess_alloc_buffer(struct sess_data *sess_data, int wct)
544 {
545         int rc;
546         struct cifs_ses *ses = sess_data->ses;
547         struct smb_hdr *smb_buf;
548 
549         rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
550                                   (void **)&smb_buf);
551 
552         if (rc)
553                 return rc;
554 
555         sess_data->iov[0].iov_base = (char *)smb_buf;
556         sess_data->iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
557         /*
558          * This variable will be used to clear the buffer
559          * allocated above in case of any error in the calling function.
560          */
561         sess_data->buf0_type = CIFS_SMALL_BUFFER;
562 
563         /* 2000 big enough to fit max user, domain, NOS name etc. */
564         sess_data->iov[2].iov_base = kmalloc(2000, GFP_KERNEL);
565         if (!sess_data->iov[2].iov_base) {
566                 rc = -ENOMEM;
567                 goto out_free_smb_buf;
568         }
569 
570         return 0;
571 
572 out_free_smb_buf:
573         kfree(smb_buf);
574         sess_data->iov[0].iov_base = NULL;
575         sess_data->iov[0].iov_len = 0;
576         sess_data->buf0_type = CIFS_NO_BUFFER;
577         return rc;
578 }
579 
580 static void
581 sess_free_buffer(struct sess_data *sess_data)
582 {
583 
584         free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
585         sess_data->buf0_type = CIFS_NO_BUFFER;
586         kfree(sess_data->iov[2].iov_base);
587 }
588 
589 static int
590 sess_establish_session(struct sess_data *sess_data)
591 {
592         struct cifs_ses *ses = sess_data->ses;
593 
594         mutex_lock(&ses->server->srv_mutex);
595         if (!ses->server->session_estab) {
596                 if (ses->server->sign) {
597                         ses->server->session_key.response =
598                                 kmemdup(ses->auth_key.response,
599                                 ses->auth_key.len, GFP_KERNEL);
600                         if (!ses->server->session_key.response) {
601                                 mutex_unlock(&ses->server->srv_mutex);
602                                 return -ENOMEM;
603                         }
604                         ses->server->session_key.len =
605                                                 ses->auth_key.len;
606                 }
607                 ses->server->sequence_number = 0x2;
608                 ses->server->session_estab = true;
609         }
610         mutex_unlock(&ses->server->srv_mutex);
611 
612         cifs_dbg(FYI, "CIFS session established successfully\n");
613         spin_lock(&GlobalMid_Lock);
614         ses->status = CifsGood;
615         ses->need_reconnect = false;
616         spin_unlock(&GlobalMid_Lock);
617 
618         return 0;
619 }
620 
621 static int
622 sess_sendreceive(struct sess_data *sess_data)
623 {
624         int rc;
625         struct smb_hdr *smb_buf = (struct smb_hdr *) sess_data->iov[0].iov_base;
626         __u16 count;
627 
628         count = sess_data->iov[1].iov_len + sess_data->iov[2].iov_len;
629         smb_buf->smb_buf_length =
630                 cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count);
631         put_bcc(count, smb_buf);
632 
633         rc = SendReceive2(sess_data->xid, sess_data->ses,
634                           sess_data->iov, 3 /* num_iovecs */,
635                           &sess_data->buf0_type,
636                           CIFS_LOG_ERROR);
637 
638         return rc;
639 }
640 
641 /*
642  * LANMAN and plaintext are less secure and off by default.
643  * So we make this explicitly be turned on in kconfig (in the
644  * build) and turned on at runtime (changed from the default)
645  * in proc/fs/cifs or via mount parm.  Unfortunately this is
646  * needed for old Win (e.g. Win95), some obscure NAS and OS/2
647  */
648 #ifdef CONFIG_CIFS_WEAK_PW_HASH
649 static void
650 sess_auth_lanman(struct sess_data *sess_data)
651 {
652         int rc = 0;
653         struct smb_hdr *smb_buf;
654         SESSION_SETUP_ANDX *pSMB;
655         char *bcc_ptr;
656         struct cifs_ses *ses = sess_data->ses;
657         char lnm_session_key[CIFS_AUTH_RESP_SIZE];
658         __u32 capabilities;
659         __u16 bytes_remaining;
660 
661         /* lanman 2 style sessionsetup */
662         /* wct = 10 */
663         rc = sess_alloc_buffer(sess_data, 10);
664         if (rc)
665                 goto out;
666 
667         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
668         bcc_ptr = sess_data->iov[2].iov_base;
669         capabilities = cifs_ssetup_hdr(ses, pSMB);
670 
671         pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
672 
673         /* no capabilities flags in old lanman negotiation */
674         pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
675 
676         /* Calculate hash with password and copy into bcc_ptr.
677          * Encryption Key (stored as in cryptkey) gets used if the
678          * security mode bit in Negottiate Protocol response states
679          * to use challenge/response method (i.e. Password bit is 1).
680          */
681         rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
682                               ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
683                               true : false, lnm_session_key);
684 
685         memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
686         bcc_ptr += CIFS_AUTH_RESP_SIZE;
687 
688         /*
689          * can not sign if LANMAN negotiated so no need
690          * to calculate signing key? but what if server
691          * changed to do higher than lanman dialect and
692          * we reconnected would we ever calc signing_key?
693          */
694 
695         cifs_dbg(FYI, "Negotiating LANMAN setting up strings\n");
696         /* Unicode not allowed for LANMAN dialects */
697         ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
698 
699         sess_data->iov[2].iov_len = (long) bcc_ptr -
700                         (long) sess_data->iov[2].iov_base;
701 
702         rc = sess_sendreceive(sess_data);
703         if (rc)
704                 goto out;
705 
706         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
707         smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
708 
709         /* lanman response has a word count of 3 */
710         if (smb_buf->WordCount != 3) {
711                 rc = -EIO;
712                 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
713                 goto out;
714         }
715 
716         if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
717                 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
718 
719         ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
720         cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
721 
722         bytes_remaining = get_bcc(smb_buf);
723         bcc_ptr = pByteArea(smb_buf);
724 
725         /* BB check if Unicode and decode strings */
726         if (bytes_remaining == 0) {
727                 /* no string area to decode, do nothing */
728         } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
729                 /* unicode string area must be word-aligned */
730                 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
731                         ++bcc_ptr;
732                         --bytes_remaining;
733                 }
734                 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
735                                       sess_data->nls_cp);
736         } else {
737                 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
738                                     sess_data->nls_cp);
739         }
740 
741         rc = sess_establish_session(sess_data);
742 out:
743         sess_data->result = rc;
744         sess_data->func = NULL;
745         sess_free_buffer(sess_data);
746 }
747 
748 #endif
749 
750 static void
751 sess_auth_ntlm(struct sess_data *sess_data)
752 {
753         int rc = 0;
754         struct smb_hdr *smb_buf;
755         SESSION_SETUP_ANDX *pSMB;
756         char *bcc_ptr;
757         struct cifs_ses *ses = sess_data->ses;
758         __u32 capabilities;
759         __u16 bytes_remaining;
760 
761         /* old style NTLM sessionsetup */
762         /* wct = 13 */
763         rc = sess_alloc_buffer(sess_data, 13);
764         if (rc)
765                 goto out;
766 
767         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
768         bcc_ptr = sess_data->iov[2].iov_base;
769         capabilities = cifs_ssetup_hdr(ses, pSMB);
770 
771         pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
772         pSMB->req_no_secext.CaseInsensitivePasswordLength =
773                         cpu_to_le16(CIFS_AUTH_RESP_SIZE);
774         pSMB->req_no_secext.CaseSensitivePasswordLength =
775                         cpu_to_le16(CIFS_AUTH_RESP_SIZE);
776 
777         /* calculate ntlm response and session key */
778         rc = setup_ntlm_response(ses, sess_data->nls_cp);
779         if (rc) {
780                 cifs_dbg(VFS, "Error %d during NTLM authentication\n",
781                                  rc);
782                 goto out;
783         }
784 
785         /* copy ntlm response */
786         memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
787                         CIFS_AUTH_RESP_SIZE);
788         bcc_ptr += CIFS_AUTH_RESP_SIZE;
789         memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
790                         CIFS_AUTH_RESP_SIZE);
791         bcc_ptr += CIFS_AUTH_RESP_SIZE;
792 
793         if (ses->capabilities & CAP_UNICODE) {
794                 /* unicode strings must be word aligned */
795                 if (sess_data->iov[0].iov_len % 2) {
796                         *bcc_ptr = 0;
797                         bcc_ptr++;
798                 }
799                 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
800         } else {
801                 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
802         }
803 
804 
805         sess_data->iov[2].iov_len = (long) bcc_ptr -
806                         (long) sess_data->iov[2].iov_base;
807 
808         rc = sess_sendreceive(sess_data);
809         if (rc)
810                 goto out;
811 
812         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
813         smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
814 
815         if (smb_buf->WordCount != 3) {
816                 rc = -EIO;
817                 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
818                 goto out;
819         }
820 
821         if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
822                 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
823 
824         ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
825         cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
826 
827         bytes_remaining = get_bcc(smb_buf);
828         bcc_ptr = pByteArea(smb_buf);
829 
830         /* BB check if Unicode and decode strings */
831         if (bytes_remaining == 0) {
832                 /* no string area to decode, do nothing */
833         } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
834                 /* unicode string area must be word-aligned */
835                 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
836                         ++bcc_ptr;
837                         --bytes_remaining;
838                 }
839                 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
840                                       sess_data->nls_cp);
841         } else {
842                 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
843                                     sess_data->nls_cp);
844         }
845 
846         rc = sess_establish_session(sess_data);
847 out:
848         sess_data->result = rc;
849         sess_data->func = NULL;
850         sess_free_buffer(sess_data);
851         kfree(ses->auth_key.response);
852         ses->auth_key.response = NULL;
853 }
854 
855 static void
856 sess_auth_ntlmv2(struct sess_data *sess_data)
857 {
858         int rc = 0;
859         struct smb_hdr *smb_buf;
860         SESSION_SETUP_ANDX *pSMB;
861         char *bcc_ptr;
862         struct cifs_ses *ses = sess_data->ses;
863         __u32 capabilities;
864         __u16 bytes_remaining;
865 
866         /* old style NTLM sessionsetup */
867         /* wct = 13 */
868         rc = sess_alloc_buffer(sess_data, 13);
869         if (rc)
870                 goto out;
871 
872         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
873         bcc_ptr = sess_data->iov[2].iov_base;
874         capabilities = cifs_ssetup_hdr(ses, pSMB);
875 
876         pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
877 
878         /* LM2 password would be here if we supported it */
879         pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
880 
881         /* calculate nlmv2 response and session key */
882         rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
883         if (rc) {
884                 cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
885                 goto out;
886         }
887 
888         memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
889                         ses->auth_key.len - CIFS_SESS_KEY_SIZE);
890         bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
891 
892         /* set case sensitive password length after tilen may get
893          * assigned, tilen is 0 otherwise.
894          */
895         pSMB->req_no_secext.CaseSensitivePasswordLength =
896                 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
897 
898         if (ses->capabilities & CAP_UNICODE) {
899                 if (sess_data->iov[0].iov_len % 2) {
900                         *bcc_ptr = 0;
901                         bcc_ptr++;
902                 }
903                 unicode_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
904         } else {
905                 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
906         }
907 
908 
909         sess_data->iov[2].iov_len = (long) bcc_ptr -
910                         (long) sess_data->iov[2].iov_base;
911 
912         rc = sess_sendreceive(sess_data);
913         if (rc)
914                 goto out;
915 
916         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
917         smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
918 
919         if (smb_buf->WordCount != 3) {
920                 rc = -EIO;
921                 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
922                 goto out;
923         }
924 
925         if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
926                 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
927 
928         ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
929         cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
930 
931         bytes_remaining = get_bcc(smb_buf);
932         bcc_ptr = pByteArea(smb_buf);
933 
934         /* BB check if Unicode and decode strings */
935         if (bytes_remaining == 0) {
936                 /* no string area to decode, do nothing */
937         } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
938                 /* unicode string area must be word-aligned */
939                 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
940                         ++bcc_ptr;
941                         --bytes_remaining;
942                 }
943                 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
944                                       sess_data->nls_cp);
945         } else {
946                 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
947                                     sess_data->nls_cp);
948         }
949 
950         rc = sess_establish_session(sess_data);
951 out:
952         sess_data->result = rc;
953         sess_data->func = NULL;
954         sess_free_buffer(sess_data);
955         kfree(ses->auth_key.response);
956         ses->auth_key.response = NULL;
957 }
958 
959 #ifdef CONFIG_CIFS_UPCALL
960 static void
961 sess_auth_kerberos(struct sess_data *sess_data)
962 {
963         int rc = 0;
964         struct smb_hdr *smb_buf;
965         SESSION_SETUP_ANDX *pSMB;
966         char *bcc_ptr;
967         struct cifs_ses *ses = sess_data->ses;
968         __u32 capabilities;
969         __u16 bytes_remaining;
970         struct key *spnego_key = NULL;
971         struct cifs_spnego_msg *msg;
972         u16 blob_len;
973 
974         /* extended security */
975         /* wct = 12 */
976         rc = sess_alloc_buffer(sess_data, 12);
977         if (rc)
978                 goto out;
979 
980         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
981         bcc_ptr = sess_data->iov[2].iov_base;
982         capabilities = cifs_ssetup_hdr(ses, pSMB);
983 
984         spnego_key = cifs_get_spnego_key(ses);
985         if (IS_ERR(spnego_key)) {
986                 rc = PTR_ERR(spnego_key);
987                 spnego_key = NULL;
988                 goto out;
989         }
990 
991         msg = spnego_key->payload.data;
992         /*
993          * check version field to make sure that cifs.upcall is
994          * sending us a response in an expected form
995          */
996         if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
997                 cifs_dbg(VFS,
998                   "incorrect version of cifs.upcall (expected %d but got %d)",
999                               CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1000                 rc = -EKEYREJECTED;
1001                 goto out_put_spnego_key;
1002         }
1003 
1004         ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1005                                          GFP_KERNEL);
1006         if (!ses->auth_key.response) {
1007                 cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory",
1008                                 msg->sesskey_len);
1009                 rc = -ENOMEM;
1010                 goto out_put_spnego_key;
1011         }
1012         ses->auth_key.len = msg->sesskey_len;
1013 
1014         pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1015         capabilities |= CAP_EXTENDED_SECURITY;
1016         pSMB->req.Capabilities = cpu_to_le32(capabilities);
1017         sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
1018         sess_data->iov[1].iov_len = msg->secblob_len;
1019         pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
1020 
1021         if (ses->capabilities & CAP_UNICODE) {
1022                 /* unicode strings must be word aligned */
1023                 if ((sess_data->iov[0].iov_len
1024                         + sess_data->iov[1].iov_len) % 2) {
1025                         *bcc_ptr = 0;
1026                         bcc_ptr++;
1027                 }
1028                 unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1029                 unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
1030         } else {
1031                 /* BB: is this right? */
1032                 ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
1033         }
1034 
1035         sess_data->iov[2].iov_len = (long) bcc_ptr -
1036                         (long) sess_data->iov[2].iov_base;
1037 
1038         rc = sess_sendreceive(sess_data);
1039         if (rc)
1040                 goto out_put_spnego_key;
1041 
1042         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1043         smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1044 
1045         if (smb_buf->WordCount != 4) {
1046                 rc = -EIO;
1047                 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1048                 goto out_put_spnego_key;
1049         }
1050 
1051         if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1052                 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1053 
1054         ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1055         cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1056 
1057         bytes_remaining = get_bcc(smb_buf);
1058         bcc_ptr = pByteArea(smb_buf);
1059 
1060         blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1061         if (blob_len > bytes_remaining) {
1062                 cifs_dbg(VFS, "bad security blob length %d\n",
1063                                 blob_len);
1064                 rc = -EINVAL;
1065                 goto out_put_spnego_key;
1066         }
1067         bcc_ptr += blob_len;
1068         bytes_remaining -= blob_len;
1069 
1070         /* BB check if Unicode and decode strings */
1071         if (bytes_remaining == 0) {
1072                 /* no string area to decode, do nothing */
1073         } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1074                 /* unicode string area must be word-aligned */
1075                 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1076                         ++bcc_ptr;
1077                         --bytes_remaining;
1078                 }
1079                 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1080                                       sess_data->nls_cp);
1081         } else {
1082                 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1083                                     sess_data->nls_cp);
1084         }
1085 
1086         rc = sess_establish_session(sess_data);
1087 out_put_spnego_key:
1088         key_invalidate(spnego_key);
1089         key_put(spnego_key);
1090 out:
1091         sess_data->result = rc;
1092         sess_data->func = NULL;
1093         sess_free_buffer(sess_data);
1094         kfree(ses->auth_key.response);
1095         ses->auth_key.response = NULL;
1096 }
1097 
1098 #endif /* ! CONFIG_CIFS_UPCALL */
1099 
1100 /*
1101  * The required kvec buffers have to be allocated before calling this
1102  * function.
1103  */
1104 static int
1105 _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1106 {
1107         struct smb_hdr *smb_buf;
1108         SESSION_SETUP_ANDX *pSMB;
1109         struct cifs_ses *ses = sess_data->ses;
1110         __u32 capabilities;
1111         char *bcc_ptr;
1112 
1113         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1114         smb_buf = (struct smb_hdr *)pSMB;
1115 
1116         capabilities = cifs_ssetup_hdr(ses, pSMB);
1117         if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
1118                 cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
1119                 return -ENOSYS;
1120         }
1121 
1122         pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
1123         capabilities |= CAP_EXTENDED_SECURITY;
1124         pSMB->req.Capabilities |= cpu_to_le32(capabilities);
1125 
1126         bcc_ptr = sess_data->iov[2].iov_base;
1127         /* unicode strings must be word aligned */
1128         if ((sess_data->iov[0].iov_len + sess_data->iov[1].iov_len) % 2) {
1129                 *bcc_ptr = 0;
1130                 bcc_ptr++;
1131         }
1132         unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
1133 
1134         sess_data->iov[2].iov_len = (long) bcc_ptr -
1135                                         (long) sess_data->iov[2].iov_base;
1136 
1137         return 0;
1138 }
1139 
1140 static void
1141 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1142 
1143 static void
1144 sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1145 {
1146         int rc;
1147         struct smb_hdr *smb_buf;
1148         SESSION_SETUP_ANDX *pSMB;
1149         struct cifs_ses *ses = sess_data->ses;
1150         __u16 bytes_remaining;
1151         char *bcc_ptr;
1152         u16 blob_len;
1153 
1154         cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1155 
1156         /*
1157          * if memory allocation is successful, caller of this function
1158          * frees it.
1159          */
1160         ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1161         if (!ses->ntlmssp) {
1162                 rc = -ENOMEM;
1163                 goto out;
1164         }
1165         ses->ntlmssp->sesskey_per_smbsess = false;
1166 
1167         /* wct = 12 */
1168         rc = sess_alloc_buffer(sess_data, 12);
1169         if (rc)
1170                 goto out;
1171 
1172         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1173 
1174         /* Build security blob before we assemble the request */
1175         build_ntlmssp_negotiate_blob(pSMB->req.SecurityBlob, ses);
1176         sess_data->iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
1177         sess_data->iov[1].iov_base = pSMB->req.SecurityBlob;
1178         pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
1179 
1180         rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1181         if (rc)
1182                 goto out;
1183 
1184         rc = sess_sendreceive(sess_data);
1185 
1186         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1187         smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1188 
1189         /* If true, rc here is expected and not an error */
1190         if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1191             smb_buf->Status.CifsError ==
1192                         cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1193                 rc = 0;
1194 
1195         if (rc)
1196                 goto out;
1197 
1198         cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1199 
1200         if (smb_buf->WordCount != 4) {
1201                 rc = -EIO;
1202                 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1203                 goto out;
1204         }
1205 
1206         ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
1207         cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1208 
1209         bytes_remaining = get_bcc(smb_buf);
1210         bcc_ptr = pByteArea(smb_buf);
1211 
1212         blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1213         if (blob_len > bytes_remaining) {
1214                 cifs_dbg(VFS, "bad security blob length %d\n",
1215                                 blob_len);
1216                 rc = -EINVAL;
1217                 goto out;
1218         }
1219 
1220         rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1221 out:
1222         sess_free_buffer(sess_data);
1223 
1224         if (!rc) {
1225                 sess_data->func = sess_auth_rawntlmssp_authenticate;
1226                 return;
1227         }
1228 
1229         /* Else error. Cleanup */
1230         kfree(ses->auth_key.response);
1231         ses->auth_key.response = NULL;
1232         kfree(ses->ntlmssp);
1233         ses->ntlmssp = NULL;
1234 
1235         sess_data->func = NULL;
1236         sess_data->result = rc;
1237 }
1238 
1239 static void
1240 sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1241 {
1242         int rc;
1243         struct smb_hdr *smb_buf;
1244         SESSION_SETUP_ANDX *pSMB;
1245         struct cifs_ses *ses = sess_data->ses;
1246         __u16 bytes_remaining;
1247         char *bcc_ptr;
1248         char *ntlmsspblob = NULL;
1249         u16 blob_len;
1250 
1251         cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1252 
1253         /* wct = 12 */
1254         rc = sess_alloc_buffer(sess_data, 12);
1255         if (rc)
1256                 goto out;
1257 
1258         /* Build security blob before we assemble the request */
1259         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1260         smb_buf = (struct smb_hdr *)pSMB;
1261         /*
1262          * 5 is an empirical value, large enough to hold
1263          * authenticate message plus max 10 of av paris,
1264          * domain, user, workstation names, flags, etc.
1265          */
1266         ntlmsspblob = kzalloc(5*sizeof(struct _AUTHENTICATE_MESSAGE),
1267                                 GFP_KERNEL);
1268         if (!ntlmsspblob) {
1269                 rc = -ENOMEM;
1270                 goto out;
1271         }
1272 
1273         rc = build_ntlmssp_auth_blob(ntlmsspblob,
1274                                         &blob_len, ses, sess_data->nls_cp);
1275         if (rc)
1276                 goto out_free_ntlmsspblob;
1277         sess_data->iov[1].iov_len = blob_len;
1278         sess_data->iov[1].iov_base = ntlmsspblob;
1279         pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1280         /*
1281          * Make sure that we tell the server that we are using
1282          * the uid that it just gave us back on the response
1283          * (challenge)
1284          */
1285         smb_buf->Uid = ses->Suid;
1286 
1287         rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1288         if (rc)
1289                 goto out_free_ntlmsspblob;
1290 
1291         rc = sess_sendreceive(sess_data);
1292         if (rc)
1293                 goto out_free_ntlmsspblob;
1294 
1295         pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
1296         smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
1297         if (smb_buf->WordCount != 4) {
1298                 rc = -EIO;
1299                 cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1300                 goto out_free_ntlmsspblob;
1301         }
1302 
1303         if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1304                 cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
1305 
1306         if (ses->Suid != smb_buf->Uid) {
1307                 ses->Suid = smb_buf->Uid;
1308                 cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1309         }
1310 
1311         bytes_remaining = get_bcc(smb_buf);
1312         bcc_ptr = pByteArea(smb_buf);
1313         blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1314         if (blob_len > bytes_remaining) {
1315                 cifs_dbg(VFS, "bad security blob length %d\n",
1316                                 blob_len);
1317                 rc = -EINVAL;
1318                 goto out_free_ntlmsspblob;
1319         }
1320         bcc_ptr += blob_len;
1321         bytes_remaining -= blob_len;
1322 
1323 
1324         /* BB check if Unicode and decode strings */
1325         if (bytes_remaining == 0) {
1326                 /* no string area to decode, do nothing */
1327         } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1328                 /* unicode string area must be word-aligned */
1329                 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
1330                         ++bcc_ptr;
1331                         --bytes_remaining;
1332                 }
1333                 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
1334                                       sess_data->nls_cp);
1335         } else {
1336                 decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
1337                                     sess_data->nls_cp);
1338         }
1339 
1340 out_free_ntlmsspblob:
1341         kfree(ntlmsspblob);
1342 out:
1343         sess_free_buffer(sess_data);
1344 
1345          if (!rc)
1346                 rc = sess_establish_session(sess_data);
1347 
1348         /* Cleanup */
1349         kfree(ses->auth_key.response);
1350         ses->auth_key.response = NULL;
1351         kfree(ses->ntlmssp);
1352         ses->ntlmssp = NULL;
1353 
1354         sess_data->func = NULL;
1355         sess_data->result = rc;
1356 }
1357 
1358 static int select_sec(struct cifs_ses *ses, struct sess_data *sess_data)
1359 {
1360         int type;
1361 
1362         type = select_sectype(ses->server, ses->sectype);
1363         cifs_dbg(FYI, "sess setup type %d\n", type);
1364         if (type == Unspecified) {
1365                 cifs_dbg(VFS,
1366                         "Unable to select appropriate authentication method!");
1367                 return -EINVAL;
1368         }
1369 
1370         switch (type) {
1371         case LANMAN:
1372                 /* LANMAN and plaintext are less secure and off by default.
1373                  * So we make this explicitly be turned on in kconfig (in the
1374                  * build) and turned on at runtime (changed from the default)
1375                  * in proc/fs/cifs or via mount parm.  Unfortunately this is
1376                  * needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
1377 #ifdef CONFIG_CIFS_WEAK_PW_HASH
1378                 sess_data->func = sess_auth_lanman;
1379                 break;
1380 #else
1381                 return -EOPNOTSUPP;
1382 #endif
1383         case NTLM:
1384                 sess_data->func = sess_auth_ntlm;
1385                 break;
1386         case NTLMv2:
1387                 sess_data->func = sess_auth_ntlmv2;
1388                 break;
1389         case Kerberos:
1390 #ifdef CONFIG_CIFS_UPCALL
1391                 sess_data->func = sess_auth_kerberos;
1392                 break;
1393 #else
1394                 cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1395                 return -ENOSYS;
1396                 break;
1397 #endif /* CONFIG_CIFS_UPCALL */
1398         case RawNTLMSSP:
1399                 sess_data->func = sess_auth_rawntlmssp_negotiate;
1400                 break;
1401         default:
1402                 cifs_dbg(VFS, "secType %d not supported!\n", type);
1403                 return -ENOSYS;
1404         }
1405 
1406         return 0;
1407 }
1408 
1409 int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
1410                     const struct nls_table *nls_cp)
1411 {
1412         int rc = 0;
1413         struct sess_data *sess_data;
1414 
1415         if (ses == NULL) {
1416                 WARN(1, "%s: ses == NULL!", __func__);
1417                 return -EINVAL;
1418         }
1419 
1420         sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
1421         if (!sess_data)
1422                 return -ENOMEM;
1423 
1424         rc = select_sec(ses, sess_data);
1425         if (rc)
1426                 goto out;
1427 
1428         sess_data->xid = xid;
1429         sess_data->ses = ses;
1430         sess_data->buf0_type = CIFS_NO_BUFFER;
1431         sess_data->nls_cp = (struct nls_table *) nls_cp;
1432 
1433         while (sess_data->func)
1434                 sess_data->func(sess_data);
1435 
1436         /* Store result before we free sess_data */
1437         rc = sess_data->result;
1438 
1439 out:
1440         kfree(sess_data);
1441         return rc;
1442 }
1443 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp