blob: 382c06d01b385bf618de01f0cb20a65dd25d38c0 [file] [log] [blame]
Steve French39798772006-05-31 22:40:51 +00001/*
2 * fs/cifs/sess.c
3 *
4 * SMB/CIFS session setup handling routines
5 *
Steve Frenchd185cda2009-04-30 17:45:10 +00006 * Copyright (c) International Business Machines Corp., 2006, 2009
Steve French39798772006-05-31 22:40:51 +00007 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24#include "cifspdu.h"
25#include "cifsglob.h"
26#include "cifsproto.h"
27#include "cifs_unicode.h"
28#include "cifs_debug.h"
29#include "ntlmssp.h"
30#include "nterr.h"
Steve French9c535882006-06-01 05:09:10 +000031#include <linux/utsname.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +090032#include <linux/slab.h>
Steve French24424212007-11-16 23:37:35 +000033#include "cifs_spnego.h"
Steve French39798772006-05-31 22:40:51 +000034
Jeff Laytonebe6aa52010-04-24 07:57:47 -040035/*
36 * Checks if this is the first smb session to be reconnected after
37 * the socket has been reestablished (so we know whether to use vc 0).
38 * Called while holding the cifs_tcp_ses_lock, so do not block
39 */
Steve French96daf2b2011-05-27 04:34:02 +000040static bool is_first_ses_reconnect(struct cifs_ses *ses)
Steve Frencheca6acf2009-02-20 05:43:09 +000041{
42 struct list_head *tmp;
Steve French96daf2b2011-05-27 04:34:02 +000043 struct cifs_ses *tmp_ses;
Steve Frencheca6acf2009-02-20 05:43:09 +000044
45 list_for_each(tmp, &ses->server->smb_ses_list) {
Steve French96daf2b2011-05-27 04:34:02 +000046 tmp_ses = list_entry(tmp, struct cifs_ses,
Steve Frencheca6acf2009-02-20 05:43:09 +000047 smb_ses_list);
48 if (tmp_ses->need_reconnect == false)
49 return false;
50 }
51 /* could not find a session that was already connected,
52 this must be the first one we are reconnecting */
53 return true;
54}
55
56/*
57 * vc number 0 is treated specially by some servers, and should be the
58 * first one we request. After that we can use vcnumbers up to maxvcs,
59 * one for each smb session (some Windows versions set maxvcs incorrectly
60 * so maxvc=1 can be ignored). If we have too many vcs, we can reuse
61 * any vc but zero (some servers reset the connection on vcnum zero)
62 *
63 */
Steve French96daf2b2011-05-27 04:34:02 +000064static __le16 get_next_vcnum(struct cifs_ses *ses)
Steve Frencheca6acf2009-02-20 05:43:09 +000065{
66 __u16 vcnum = 0;
67 struct list_head *tmp;
Steve French96daf2b2011-05-27 04:34:02 +000068 struct cifs_ses *tmp_ses;
Steve Frencheca6acf2009-02-20 05:43:09 +000069 __u16 max_vcs = ses->server->max_vcs;
70 __u16 i;
71 int free_vc_found = 0;
72
73 /* Quoting the MS-SMB specification: "Windows-based SMB servers set this
74 field to one but do not enforce this limit, which allows an SMB client
75 to establish more virtual circuits than allowed by this value ... but
76 other server implementations can enforce this limit." */
77 if (max_vcs < 2)
78 max_vcs = 0xFFFF;
79
Suresh Jayaraman3f9bcca2010-10-18 23:29:37 +053080 spin_lock(&cifs_tcp_ses_lock);
Steve Frencheca6acf2009-02-20 05:43:09 +000081 if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
82 goto get_vc_num_exit; /* vcnum will be zero */
83 for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
84 if (i == 0) /* this is the only connection, use vc 0 */
85 break;
86
87 free_vc_found = 1;
88
89 list_for_each(tmp, &ses->server->smb_ses_list) {
Steve French96daf2b2011-05-27 04:34:02 +000090 tmp_ses = list_entry(tmp, struct cifs_ses,
Steve Frencheca6acf2009-02-20 05:43:09 +000091 smb_ses_list);
92 if (tmp_ses->vcnum == i) {
93 free_vc_found = 0;
94 break; /* found duplicate, try next vcnum */
95 }
96 }
97 if (free_vc_found)
98 break; /* we found a vcnumber that will work - use it */
99 }
100
101 if (i == 0)
102 vcnum = 0; /* for most common case, ie if one smb session, use
103 vc zero. Also for case when no free vcnum, zero
104 is safest to send (some clients only send zero) */
105 else if (free_vc_found == 0)
106 vcnum = 1; /* we can not reuse vc=0 safely, since some servers
107 reset all uids on that, but 1 is ok. */
108 else
109 vcnum = i;
110 ses->vcnum = vcnum;
111get_vc_num_exit:
Suresh Jayaraman3f9bcca2010-10-18 23:29:37 +0530112 spin_unlock(&cifs_tcp_ses_lock);
Steve Frencheca6acf2009-02-20 05:43:09 +0000113
Steve French051a2a02009-05-01 16:21:04 +0000114 return cpu_to_le16(vcnum);
Steve Frencheca6acf2009-02-20 05:43:09 +0000115}
116
Steve French96daf2b2011-05-27 04:34:02 +0000117static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
Steve French39798772006-05-31 22:40:51 +0000118{
119 __u32 capabilities = 0;
120
121 /* init fields common to all four types of SessSetup */
Steve Frencheca6acf2009-02-20 05:43:09 +0000122 /* Note that offsets for first seven fields in req struct are same */
123 /* in CIFS Specs so does not matter which of 3 forms of struct */
124 /* that we use in next few lines */
125 /* Note that header is initialized to zero in header_assemble */
Steve French39798772006-05-31 22:40:51 +0000126 pSMB->req.AndXCommand = 0xFF;
Jeff Laytonc974bef2011-10-11 06:41:32 -0400127 pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
128 CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4,
129 USHRT_MAX));
Steve French39798772006-05-31 22:40:51 +0000130 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
Steve Frencheca6acf2009-02-20 05:43:09 +0000131 pSMB->req.VcNumber = get_next_vcnum(ses);
Steve French39798772006-05-31 22:40:51 +0000132
133 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
134
Steve French790fe572007-07-07 19:25:05 +0000135 /* BB verify whether signing required on neg or just on auth frame
Steve French39798772006-05-31 22:40:51 +0000136 (and NTLM case) */
137
138 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
139 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
140
Steve French96daf2b2011-05-27 04:34:02 +0000141 if (ses->server->sec_mode &
Steve French790fe572007-07-07 19:25:05 +0000142 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
Steve French39798772006-05-31 22:40:51 +0000143 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
144
145 if (ses->capabilities & CAP_UNICODE) {
146 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
147 capabilities |= CAP_UNICODE;
148 }
149 if (ses->capabilities & CAP_STATUS32) {
150 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
151 capabilities |= CAP_STATUS32;
152 }
153 if (ses->capabilities & CAP_DFS) {
154 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
155 capabilities |= CAP_DFS;
156 }
Steve French26f57362007-08-30 22:09:15 +0000157 if (ses->capabilities & CAP_UNIX)
Steve French39798772006-05-31 22:40:51 +0000158 capabilities |= CAP_UNIX;
Steve French39798772006-05-31 22:40:51 +0000159
Steve French39798772006-05-31 22:40:51 +0000160 return capabilities;
161}
162
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000163static void
164unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
165{
166 char *bcc_ptr = *pbcc_area;
167 int bytes_ret = 0;
168
169 /* Copy OS version */
Steve Frenchacbbb762012-01-18 22:32:33 -0600170 bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32,
171 nls_cp);
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000172 bcc_ptr += 2 * bytes_ret;
Steve Frenchacbbb762012-01-18 22:32:33 -0600173 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
174 32, nls_cp);
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000175 bcc_ptr += 2 * bytes_ret;
176 bcc_ptr += 2; /* trailing null */
177
Steve Frenchacbbb762012-01-18 22:32:33 -0600178 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
179 32, nls_cp);
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000180 bcc_ptr += 2 * bytes_ret;
181 bcc_ptr += 2; /* trailing null */
182
183 *pbcc_area = bcc_ptr;
184}
185
Steve French96daf2b2011-05-27 04:34:02 +0000186static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000187 const struct nls_table *nls_cp)
188{
189 char *bcc_ptr = *pbcc_area;
190 int bytes_ret = 0;
191
192 /* copy domain */
193 if (ses->domainName == NULL) {
194 /* Sending null domain better than using a bogus domain name (as
195 we did briefly in 2.6.18) since server will use its default */
196 *bcc_ptr = 0;
197 *(bcc_ptr+1) = 0;
198 bytes_ret = 0;
199 } else
Steve Frenchacbbb762012-01-18 22:32:33 -0600200 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
201 256, nls_cp);
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000202 bcc_ptr += 2 * bytes_ret;
203 bcc_ptr += 2; /* account for null terminator */
204
205 *pbcc_area = bcc_ptr;
206}
207
208
Steve French96daf2b2011-05-27 04:34:02 +0000209static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
Steve French790fe572007-07-07 19:25:05 +0000210 const struct nls_table *nls_cp)
Steve French39798772006-05-31 22:40:51 +0000211{
Steve French790fe572007-07-07 19:25:05 +0000212 char *bcc_ptr = *pbcc_area;
Steve French39798772006-05-31 22:40:51 +0000213 int bytes_ret = 0;
214
215 /* BB FIXME add check that strings total less
216 than 335 or will need to send them as arrays */
217
Steve French0223cf02006-06-27 19:50:57 +0000218 /* unicode strings, must be word aligned before the call */
219/* if ((long) bcc_ptr % 2) {
Steve French39798772006-05-31 22:40:51 +0000220 *bcc_ptr = 0;
221 bcc_ptr++;
Steve French0223cf02006-06-27 19:50:57 +0000222 } */
Steve French39798772006-05-31 22:40:51 +0000223 /* copy user */
Steve French8727c8a2011-02-25 01:11:56 -0600224 if (ses->user_name == NULL) {
Steve French6e659c62006-11-08 23:10:46 +0000225 /* null user mount */
226 *bcc_ptr = 0;
227 *(bcc_ptr+1) = 0;
Steve French301a6a32010-02-06 07:08:53 +0000228 } else {
Steve Frenchacbbb762012-01-18 22:32:33 -0600229 bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
230 MAX_USERNAME_SIZE, nls_cp);
Steve French39798772006-05-31 22:40:51 +0000231 }
232 bcc_ptr += 2 * bytes_ret;
233 bcc_ptr += 2; /* account for null termination */
Steve French39798772006-05-31 22:40:51 +0000234
Jeff Layton0d3a01f2007-10-16 17:32:19 +0000235 unicode_domain_string(&bcc_ptr, ses, nls_cp);
236 unicode_oslm_strings(&bcc_ptr, nls_cp);
Steve French39798772006-05-31 22:40:51 +0000237
238 *pbcc_area = bcc_ptr;
239}
240
Steve French96daf2b2011-05-27 04:34:02 +0000241static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
Steve French790fe572007-07-07 19:25:05 +0000242 const struct nls_table *nls_cp)
Steve French39798772006-05-31 22:40:51 +0000243{
Steve French790fe572007-07-07 19:25:05 +0000244 char *bcc_ptr = *pbcc_area;
Steve French39798772006-05-31 22:40:51 +0000245
246 /* copy user */
247 /* BB what about null user mounts - check that we do this BB */
Steve French790fe572007-07-07 19:25:05 +0000248 /* copy user */
Shirish Pargaonkarde47a412012-02-02 15:28:28 -0600249 if (ses->user_name != NULL) {
Steve French8727c8a2011-02-25 01:11:56 -0600250 strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE);
Shirish Pargaonkarde47a412012-02-02 15:28:28 -0600251 bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
252 }
Steve French8727c8a2011-02-25 01:11:56 -0600253 /* else null user mount */
Steve French39798772006-05-31 22:40:51 +0000254 *bcc_ptr = 0;
Steve French790fe572007-07-07 19:25:05 +0000255 bcc_ptr++; /* account for null termination */
Steve French39798772006-05-31 22:40:51 +0000256
Steve French790fe572007-07-07 19:25:05 +0000257 /* copy domain */
Steve French790fe572007-07-07 19:25:05 +0000258 if (ses->domainName != NULL) {
259 strncpy(bcc_ptr, ses->domainName, 256);
Steve French39798772006-05-31 22:40:51 +0000260 bcc_ptr += strnlen(ses->domainName, 256);
Steve French790fe572007-07-07 19:25:05 +0000261 } /* else we will send a null domain name
Steve French6e659c62006-11-08 23:10:46 +0000262 so the server will default to its own domain */
Steve French39798772006-05-31 22:40:51 +0000263 *bcc_ptr = 0;
264 bcc_ptr++;
265
266 /* BB check for overflow here */
267
268 strcpy(bcc_ptr, "Linux version ");
269 bcc_ptr += strlen("Linux version ");
Serge E. Hallyn96b644b2006-10-02 02:18:13 -0700270 strcpy(bcc_ptr, init_utsname()->release);
271 bcc_ptr += strlen(init_utsname()->release) + 1;
Steve French39798772006-05-31 22:40:51 +0000272
273 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
274 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
275
Steve French790fe572007-07-07 19:25:05 +0000276 *pbcc_area = bcc_ptr;
Steve French39798772006-05-31 22:40:51 +0000277}
278
Jeff Layton59140792009-04-30 07:16:21 -0400279static void
Steve French96daf2b2011-05-27 04:34:02 +0000280decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
Jeff Layton59140792009-04-30 07:16:21 -0400281 const struct nls_table *nls_cp)
Steve French39798772006-05-31 22:40:51 +0000282{
Jeff Layton59140792009-04-30 07:16:21 -0400283 int len;
Steve French790fe572007-07-07 19:25:05 +0000284 char *data = *pbcc_area;
Steve French39798772006-05-31 22:40:51 +0000285
Joe Perchesb6b38f72010-04-21 03:50:45 +0000286 cFYI(1, "bleft %d", bleft);
Steve French39798772006-05-31 22:40:51 +0000287
Steve French26f57362007-08-30 22:09:15 +0000288 kfree(ses->serverOS);
Steve Frenchacbbb762012-01-18 22:32:33 -0600289 ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
Joe Perchesb6b38f72010-04-21 03:50:45 +0000290 cFYI(1, "serverOS=%s", ses->serverOS);
Jeff Layton59140792009-04-30 07:16:21 -0400291 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
292 data += len;
293 bleft -= len;
294 if (bleft <= 0)
295 return;
Steve French39798772006-05-31 22:40:51 +0000296
Steve French26f57362007-08-30 22:09:15 +0000297 kfree(ses->serverNOS);
Steve Frenchacbbb762012-01-18 22:32:33 -0600298 ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
Joe Perchesb6b38f72010-04-21 03:50:45 +0000299 cFYI(1, "serverNOS=%s", ses->serverNOS);
Jeff Layton59140792009-04-30 07:16:21 -0400300 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
301 data += len;
302 bleft -= len;
303 if (bleft <= 0)
304 return;
Steve French39798772006-05-31 22:40:51 +0000305
Steve French26f57362007-08-30 22:09:15 +0000306 kfree(ses->serverDomain);
Steve Frenchacbbb762012-01-18 22:32:33 -0600307 ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp);
Joe Perchesb6b38f72010-04-21 03:50:45 +0000308 cFYI(1, "serverDomain=%s", ses->serverDomain);
Steve French790fe572007-07-07 19:25:05 +0000309
Jeff Layton59140792009-04-30 07:16:21 -0400310 return;
Steve French39798772006-05-31 22:40:51 +0000311}
312
Jeff Layton690c5222011-01-20 13:36:51 -0500313static int decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
Steve French96daf2b2011-05-27 04:34:02 +0000314 struct cifs_ses *ses,
Steve French790fe572007-07-07 19:25:05 +0000315 const struct nls_table *nls_cp)
Steve French39798772006-05-31 22:40:51 +0000316{
317 int rc = 0;
318 int len;
Steve French790fe572007-07-07 19:25:05 +0000319 char *bcc_ptr = *pbcc_area;
Steve French39798772006-05-31 22:40:51 +0000320
Joe Perchesb6b38f72010-04-21 03:50:45 +0000321 cFYI(1, "decode sessetup ascii. bleft %d", bleft);
Steve French50c2f752007-07-13 00:33:32 +0000322
Steve French39798772006-05-31 22:40:51 +0000323 len = strnlen(bcc_ptr, bleft);
Steve French790fe572007-07-07 19:25:05 +0000324 if (len >= bleft)
Steve French39798772006-05-31 22:40:51 +0000325 return rc;
Steve French50c2f752007-07-13 00:33:32 +0000326
Steve French26f57362007-08-30 22:09:15 +0000327 kfree(ses->serverOS);
Steve French39798772006-05-31 22:40:51 +0000328
329 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
Steve French790fe572007-07-07 19:25:05 +0000330 if (ses->serverOS)
Steve French39798772006-05-31 22:40:51 +0000331 strncpy(ses->serverOS, bcc_ptr, len);
Steve French790fe572007-07-07 19:25:05 +0000332 if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000333 cFYI(1, "OS/2 server");
Steve French9ac00b72006-09-30 04:13:17 +0000334 ses->flags |= CIFS_SES_OS2;
335 }
Steve French39798772006-05-31 22:40:51 +0000336
337 bcc_ptr += len + 1;
338 bleft -= len + 1;
339
340 len = strnlen(bcc_ptr, bleft);
Steve French790fe572007-07-07 19:25:05 +0000341 if (len >= bleft)
Steve French39798772006-05-31 22:40:51 +0000342 return rc;
343
Steve French26f57362007-08-30 22:09:15 +0000344 kfree(ses->serverNOS);
Steve French39798772006-05-31 22:40:51 +0000345
346 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
Steve French790fe572007-07-07 19:25:05 +0000347 if (ses->serverNOS)
Steve French39798772006-05-31 22:40:51 +0000348 strncpy(ses->serverNOS, bcc_ptr, len);
349
350 bcc_ptr += len + 1;
351 bleft -= len + 1;
352
Steve French790fe572007-07-07 19:25:05 +0000353 len = strnlen(bcc_ptr, bleft);
354 if (len > bleft)
355 return rc;
Steve French39798772006-05-31 22:40:51 +0000356
Steve French9ac00b72006-09-30 04:13:17 +0000357 /* No domain field in LANMAN case. Domain is
358 returned by old servers in the SMB negprot response */
359 /* BB For newer servers which do not support Unicode,
360 but thus do return domain here we could add parsing
361 for it later, but it is not very important */
Joe Perchesb6b38f72010-04-21 03:50:45 +0000362 cFYI(1, "ascii: bytes left %d", bleft);
Steve French39798772006-05-31 22:40:51 +0000363
364 return rc;
365}
366
Pavel Shilovsky5478f9b2011-12-27 16:22:00 +0400367int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
Steve French96daf2b2011-05-27 04:34:02 +0000368 struct cifs_ses *ses)
Steve French0b3cc8582009-05-04 08:37:12 +0000369{
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500370 unsigned int tioffset; /* challenge message target info area */
371 unsigned int tilen; /* challenge message target info area length */
372
Steve French0b3cc8582009-05-04 08:37:12 +0000373 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
374
375 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000376 cERROR(1, "challenge blob len %d too small", blob_len);
Steve French0b3cc8582009-05-04 08:37:12 +0000377 return -EINVAL;
378 }
379
380 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000381 cERROR(1, "blob signature incorrect %s", pblob->Signature);
Steve French0b3cc8582009-05-04 08:37:12 +0000382 return -EINVAL;
383 }
384 if (pblob->MessageType != NtLmChallenge) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000385 cERROR(1, "Incorrect message type %d", pblob->MessageType);
Steve French0b3cc8582009-05-04 08:37:12 +0000386 return -EINVAL;
387 }
388
Shirish Pargaonkard3686d52010-10-28 09:53:07 -0500389 memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
Steve French0b3cc8582009-05-04 08:37:12 +0000390 /* BB we could decode pblob->NegotiateFlags; some may be useful */
391 /* In particular we can examine sign flags */
392 /* BB spec says that if AvId field of MsvAvTimestamp is populated then
393 we must set the MIC field of the AUTHENTICATE_MESSAGE */
Shirish Pargaonkard3686d52010-10-28 09:53:07 -0500394 ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
Steve French5443d132011-03-13 05:08:25 +0000395 tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
396 tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
Dan Carpenter4991a5f2012-01-31 11:52:01 +0300397 if (tioffset > blob_len || tioffset + tilen > blob_len) {
398 cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
399 return -EINVAL;
400 }
Shirish Pargaonkard3686d52010-10-28 09:53:07 -0500401 if (tilen) {
402 ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
403 if (!ses->auth_key.response) {
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500404 cERROR(1, "Challenge target info allocation failure");
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500405 return -ENOMEM;
406 }
Shirish Pargaonkard3686d52010-10-28 09:53:07 -0500407 memcpy(ses->auth_key.response, bcc_ptr + tioffset, tilen);
408 ses->auth_key.len = tilen;
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500409 }
410
Steve French0b3cc8582009-05-04 08:37:12 +0000411 return 0;
412}
413
Steve French0b3cc8582009-05-04 08:37:12 +0000414/* BB Move to ntlmssp.c eventually */
415
416/* We do not malloc the blob, it is passed in pbuffer, because
417 it is fixed size, and small, making this approach cleaner */
Pavel Shilovsky5478f9b2011-12-27 16:22:00 +0400418void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
Steve French96daf2b2011-05-27 04:34:02 +0000419 struct cifs_ses *ses)
Steve French0b3cc8582009-05-04 08:37:12 +0000420{
421 NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
422 __u32 flags;
423
Shirish Pargaonkardf8fbc242010-12-11 14:19:22 -0600424 memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
Steve French0b3cc8582009-05-04 08:37:12 +0000425 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
426 sec_blob->MessageType = NtLmNegotiate;
427
428 /* BB is NTLMV2 session security format easier to use here? */
429 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
430 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
Shirish Pargaonkardf8fbc242010-12-11 14:19:22 -0600431 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
Steve French96daf2b2011-05-27 04:34:02 +0000432 if (ses->server->sec_mode &
Shirish Pargaonkard2b91522010-10-21 14:25:08 -0500433 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
Steve French745e5072010-09-08 21:09:27 +0000434 flags |= NTLMSSP_NEGOTIATE_SIGN;
Shirish Pargaonkard2b91522010-10-21 14:25:08 -0500435 if (!ses->server->session_estab)
Shirish Pargaonkar62411ab2011-07-10 06:55:32 -0500436 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
Shirish Pargaonkard2b91522010-10-21 14:25:08 -0500437 }
Steve French0b3cc8582009-05-04 08:37:12 +0000438
Shirish Pargaonkardf8fbc242010-12-11 14:19:22 -0600439 sec_blob->NegotiateFlags = cpu_to_le32(flags);
Steve French0b3cc8582009-05-04 08:37:12 +0000440
441 sec_blob->WorkstationName.BufferOffset = 0;
442 sec_blob->WorkstationName.Length = 0;
443 sec_blob->WorkstationName.MaximumLength = 0;
444
445 /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
446 sec_blob->DomainName.BufferOffset = 0;
447 sec_blob->DomainName.Length = 0;
448 sec_blob->DomainName.MaximumLength = 0;
449}
450
451/* We do not malloc the blob, it is passed in pbuffer, because its
452 maximum possible size is fixed and small, making this approach cleaner.
453 This function returns the length of the data in the blob */
Pavel Shilovsky5478f9b2011-12-27 16:22:00 +0400454int build_ntlmssp_auth_blob(unsigned char *pbuffer,
Shirish Pargaonkar89f150f2010-10-19 11:47:52 -0500455 u16 *buflen,
Steve French96daf2b2011-05-27 04:34:02 +0000456 struct cifs_ses *ses,
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500457 const struct nls_table *nls_cp)
Steve French0b3cc8582009-05-04 08:37:12 +0000458{
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500459 int rc;
Steve French0b3cc8582009-05-04 08:37:12 +0000460 AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
461 __u32 flags;
462 unsigned char *tmp;
Steve French0b3cc8582009-05-04 08:37:12 +0000463
464 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
465 sec_blob->MessageType = NtLmAuthenticate;
466
467 flags = NTLMSSP_NEGOTIATE_56 |
468 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
469 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
Shirish Pargaonkardf8fbc242010-12-11 14:19:22 -0600470 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
Steve French96daf2b2011-05-27 04:34:02 +0000471 if (ses->server->sec_mode &
Shirish Pargaonkar62411ab2011-07-10 06:55:32 -0500472 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
Steve French0b3cc8582009-05-04 08:37:12 +0000473 flags |= NTLMSSP_NEGOTIATE_SIGN;
Shirish Pargaonkar62411ab2011-07-10 06:55:32 -0500474 if (!ses->server->session_estab)
475 flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
476 }
Steve French0b3cc8582009-05-04 08:37:12 +0000477
478 tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
Shirish Pargaonkardf8fbc242010-12-11 14:19:22 -0600479 sec_blob->NegotiateFlags = cpu_to_le32(flags);
Steve French0b3cc8582009-05-04 08:37:12 +0000480
481 sec_blob->LmChallengeResponse.BufferOffset =
482 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
483 sec_blob->LmChallengeResponse.Length = 0;
484 sec_blob->LmChallengeResponse.MaximumLength = 0;
485
Steve Frenchc8e56f12010-09-08 21:10:58 +0000486 sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500487 rc = setup_ntlmv2_rsp(ses, nls_cp);
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500488 if (rc) {
489 cERROR(1, "Error %d during NTLMSSP authentication", rc);
490 goto setup_ntlmv2_ret;
491 }
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500492 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
493 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
494 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
Steve Frenchc8e56f12010-09-08 21:10:58 +0000495
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500496 sec_blob->NtChallengeResponse.Length =
497 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500498 sec_blob->NtChallengeResponse.MaximumLength =
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500499 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
Steve French0b3cc8582009-05-04 08:37:12 +0000500
501 if (ses->domainName == NULL) {
502 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
503 sec_blob->DomainName.Length = 0;
504 sec_blob->DomainName.MaximumLength = 0;
505 tmp += 2;
506 } else {
507 int len;
Steve Frenchacbbb762012-01-18 22:32:33 -0600508 len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
509 MAX_USERNAME_SIZE, nls_cp);
Steve French0b3cc8582009-05-04 08:37:12 +0000510 len *= 2; /* unicode is 2 bytes each */
Steve French0b3cc8582009-05-04 08:37:12 +0000511 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
512 sec_blob->DomainName.Length = cpu_to_le16(len);
513 sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
514 tmp += len;
515 }
516
Steve French8727c8a2011-02-25 01:11:56 -0600517 if (ses->user_name == NULL) {
Steve French0b3cc8582009-05-04 08:37:12 +0000518 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
519 sec_blob->UserName.Length = 0;
520 sec_blob->UserName.MaximumLength = 0;
521 tmp += 2;
522 } else {
523 int len;
Steve Frenchacbbb762012-01-18 22:32:33 -0600524 len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name,
525 MAX_USERNAME_SIZE, nls_cp);
Steve French0b3cc8582009-05-04 08:37:12 +0000526 len *= 2; /* unicode is 2 bytes each */
Steve French0b3cc8582009-05-04 08:37:12 +0000527 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
528 sec_blob->UserName.Length = cpu_to_le16(len);
529 sec_blob->UserName.MaximumLength = cpu_to_le16(len);
530 tmp += len;
531 }
532
533 sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
534 sec_blob->WorkstationName.Length = 0;
535 sec_blob->WorkstationName.MaximumLength = 0;
536 tmp += 2;
537
Shirish Pargaonkardf8fbc242010-12-11 14:19:22 -0600538 if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
539 (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
540 && !calc_seckey(ses)) {
Shirish Pargaonkard3686d52010-10-28 09:53:07 -0500541 memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
Shirish Pargaonkard2b91522010-10-21 14:25:08 -0500542 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
543 sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
544 sec_blob->SessionKey.MaximumLength =
545 cpu_to_le16(CIFS_CPHTXT_SIZE);
546 tmp += CIFS_CPHTXT_SIZE;
547 } else {
548 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
549 sec_blob->SessionKey.Length = 0;
550 sec_blob->SessionKey.MaximumLength = 0;
551 }
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500552
553setup_ntlmv2_ret:
Shirish Pargaonkar89f150f2010-10-19 11:47:52 -0500554 *buflen = tmp - pbuffer;
555 return rc;
Steve French0b3cc8582009-05-04 08:37:12 +0000556}
Steve French0b3cc8582009-05-04 08:37:12 +0000557
Steve French790fe572007-07-07 19:25:05 +0000558int
Pavel Shilovsky58c45c52012-05-25 10:54:49 +0400559CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
Jeff Laytonebe6aa52010-04-24 07:57:47 -0400560 const struct nls_table *nls_cp)
Steve French39798772006-05-31 22:40:51 +0000561{
562 int rc = 0;
563 int wct;
Steve French39798772006-05-31 22:40:51 +0000564 struct smb_hdr *smb_buf;
565 char *bcc_ptr;
Steve French750d1152006-06-27 06:28:30 +0000566 char *str_area;
Steve French39798772006-05-31 22:40:51 +0000567 SESSION_SETUP_ANDX *pSMB;
568 __u32 capabilities;
Jeff Layton690c5222011-01-20 13:36:51 -0500569 __u16 count;
Steve French24424212007-11-16 23:37:35 +0000570 int resp_buf_type;
571 struct kvec iov[3];
Steve French39798772006-05-31 22:40:51 +0000572 enum securityEnum type;
Jeff Layton690c5222011-01-20 13:36:51 -0500573 __u16 action, bytes_remaining;
Steve French24424212007-11-16 23:37:35 +0000574 struct key *spnego_key = NULL;
Steve French0b3cc8582009-05-04 08:37:12 +0000575 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
Shirish Pargaonkar89f150f2010-10-19 11:47:52 -0500576 u16 blob_len;
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500577 char *ntlmsspblob = NULL;
Steve French254e55e2006-06-04 05:53:15 +0000578
Steve French790fe572007-07-07 19:25:05 +0000579 if (ses == NULL)
Steve French39798772006-05-31 22:40:51 +0000580 return -EINVAL;
581
582 type = ses->server->secType;
Joe Perchesb6b38f72010-04-21 03:50:45 +0000583 cFYI(1, "sess setup type %d", type);
Shirish Pargaonkard3686d52010-10-28 09:53:07 -0500584 if (type == RawNTLMSSP) {
585 /* if memory allocation is successful, caller of this function
586 * frees it.
587 */
588 ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
589 if (!ses->ntlmssp)
590 return -ENOMEM;
591 }
592
Steve French0b3cc8582009-05-04 08:37:12 +0000593ssetup_ntlmssp_authenticate:
594 if (phase == NtLmChallenge)
595 phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
596
Steve French790fe572007-07-07 19:25:05 +0000597 if (type == LANMAN) {
Steve French39798772006-05-31 22:40:51 +0000598#ifndef CONFIG_CIFS_WEAK_PW_HASH
599 /* LANMAN and plaintext are less secure and off by default.
600 So we make this explicitly be turned on in kconfig (in the
601 build) and turned on at runtime (changed from the default)
602 in proc/fs/cifs or via mount parm. Unfortunately this is
603 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
604 return -EOPNOTSUPP;
605#endif
606 wct = 10; /* lanman 2 style sessionsetup */
Steve French790fe572007-07-07 19:25:05 +0000607 } else if ((type == NTLM) || (type == NTLMv2)) {
Steve French9312f672006-06-04 22:21:07 +0000608 /* For NTLMv2 failures eventually may need to retry NTLM */
Steve French39798772006-05-31 22:40:51 +0000609 wct = 13; /* old style NTLM sessionsetup */
Steve French790fe572007-07-07 19:25:05 +0000610 } else /* same size: negotiate or auth, NTLMSSP or extended security */
Steve French39798772006-05-31 22:40:51 +0000611 wct = 12;
612
613 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
614 (void **)&smb_buf);
Steve French790fe572007-07-07 19:25:05 +0000615 if (rc)
Steve French39798772006-05-31 22:40:51 +0000616 return rc;
617
618 pSMB = (SESSION_SETUP_ANDX *)smb_buf;
619
620 capabilities = cifs_ssetup_hdr(ses, pSMB);
Steve French750d1152006-06-27 06:28:30 +0000621
Steve French24424212007-11-16 23:37:35 +0000622 /* we will send the SMB in three pieces:
623 a fixed length beginning part, an optional
624 SPNEGO blob (which can be zero length), and a
625 last part which will include the strings
626 and rest of bcc area. This allows us to avoid
627 a large buffer 17K allocation */
Steve French790fe572007-07-07 19:25:05 +0000628 iov[0].iov_base = (char *)pSMB;
Steve Frenchbe8e3b02011-04-29 05:40:20 +0000629 iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
Steve French750d1152006-06-27 06:28:30 +0000630
Steve French24424212007-11-16 23:37:35 +0000631 /* setting this here allows the code at the end of the function
632 to free the request buffer if there's an error */
633 resp_buf_type = CIFS_SMALL_BUFFER;
634
Steve French750d1152006-06-27 06:28:30 +0000635 /* 2000 big enough to fit max user, domain, NOS name etc. */
636 str_area = kmalloc(2000, GFP_KERNEL);
Cyrill Gorcunov5e6e6232007-08-18 00:15:20 +0000637 if (str_area == NULL) {
Steve French24424212007-11-16 23:37:35 +0000638 rc = -ENOMEM;
639 goto ssetup_exit;
Cyrill Gorcunov5e6e6232007-08-18 00:15:20 +0000640 }
Steve French750d1152006-06-27 06:28:30 +0000641 bcc_ptr = str_area;
Steve French39798772006-05-31 22:40:51 +0000642
Steve French9ac00b72006-09-30 04:13:17 +0000643 ses->flags &= ~CIFS_SES_LANMAN;
644
Steve French24424212007-11-16 23:37:35 +0000645 iov[1].iov_base = NULL;
646 iov[1].iov_len = 0;
647
Steve French790fe572007-07-07 19:25:05 +0000648 if (type == LANMAN) {
Steve French39798772006-05-31 22:40:51 +0000649#ifdef CONFIG_CIFS_WEAK_PW_HASH
Shirish Pargaonkar5e640922011-02-17 14:38:31 -0600650 char lnm_session_key[CIFS_AUTH_RESP_SIZE];
Steve French39798772006-05-31 22:40:51 +0000651
Steve Frenchc76da9d2008-08-28 15:32:22 +0000652 pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
653
Steve French39798772006-05-31 22:40:51 +0000654 /* no capabilities flags in old lanman negotiation */
655
Shirish Pargaonkar5e640922011-02-17 14:38:31 -0600656 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
Steve French39798772006-05-31 22:40:51 +0000657
Shirish Pargaonkard3ba50b2010-10-27 15:20:36 -0500658 /* Calculate hash with password and copy into bcc_ptr.
659 * Encryption Key (stored as in cryptkey) gets used if the
660 * security mode bit in Negottiate Protocol response states
661 * to use challenge/response method (i.e. Password bit is 1).
662 */
663
Steve French43988d72011-04-19 18:23:31 +0000664 rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
Steve French96daf2b2011-05-27 04:34:02 +0000665 ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
Jeff Layton4e53a3f2008-12-05 20:41:21 -0500666 true : false, lnm_session_key);
667
Steve French790fe572007-07-07 19:25:05 +0000668 ses->flags |= CIFS_SES_LANMAN;
Shirish Pargaonkar5e640922011-02-17 14:38:31 -0600669 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
670 bcc_ptr += CIFS_AUTH_RESP_SIZE;
Steve French39798772006-05-31 22:40:51 +0000671
672 /* can not sign if LANMAN negotiated so no need
673 to calculate signing key? but what if server
674 changed to do higher than lanman dialect and
675 we reconnected would we ever calc signing_key? */
676
Joe Perchesb6b38f72010-04-21 03:50:45 +0000677 cFYI(1, "Negotiating LANMAN setting up strings");
Steve French39798772006-05-31 22:40:51 +0000678 /* Unicode not allowed for LANMAN dialects */
679 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
Steve French790fe572007-07-07 19:25:05 +0000680#endif
Steve French39798772006-05-31 22:40:51 +0000681 } else if (type == NTLM) {
Steve French39798772006-05-31 22:40:51 +0000682 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
683 pSMB->req_no_secext.CaseInsensitivePasswordLength =
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500684 cpu_to_le16(CIFS_AUTH_RESP_SIZE);
Steve French39798772006-05-31 22:40:51 +0000685 pSMB->req_no_secext.CaseSensitivePasswordLength =
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500686 cpu_to_le16(CIFS_AUTH_RESP_SIZE);
Steve French50c2f752007-07-13 00:33:32 +0000687
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500688 /* calculate ntlm response and session key */
Shirish Pargaonkar9ef59922011-10-20 13:21:59 -0500689 rc = setup_ntlm_response(ses, nls_cp);
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500690 if (rc) {
691 cERROR(1, "Error %d during NTLM authentication", rc);
692 goto ssetup_exit;
693 }
Steve French39798772006-05-31 22:40:51 +0000694
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500695 /* copy ntlm response */
696 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
697 CIFS_AUTH_RESP_SIZE);
698 bcc_ptr += CIFS_AUTH_RESP_SIZE;
699 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
700 CIFS_AUTH_RESP_SIZE);
701 bcc_ptr += CIFS_AUTH_RESP_SIZE;
702
Steve French790fe572007-07-07 19:25:05 +0000703 if (ses->capabilities & CAP_UNICODE) {
Steve French0223cf02006-06-27 19:50:57 +0000704 /* unicode strings must be word aligned */
705 if (iov[0].iov_len % 2) {
706 *bcc_ptr = 0;
Steve French790fe572007-07-07 19:25:05 +0000707 bcc_ptr++;
708 }
Steve French7c7b25b2006-06-01 19:20:10 +0000709 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
Steve French0223cf02006-06-27 19:50:57 +0000710 } else
Steve French7c7b25b2006-06-01 19:20:10 +0000711 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
712 } else if (type == NTLMv2) {
Steve French7c7b25b2006-06-01 19:20:10 +0000713 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
714
715 /* LM2 password would be here if we supported it */
716 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
Steve French7c7b25b2006-06-01 19:20:10 +0000717
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500718 /* calculate nlmv2 response and session key */
719 rc = setup_ntlmv2_rsp(ses, nls_cp);
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500720 if (rc) {
721 cERROR(1, "Error %d during NTLMv2 authentication", rc);
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500722 goto ssetup_exit;
723 }
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500724 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
725 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
726 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
727
Shirish Pargaonkarc9928f72010-10-04 19:56:13 -0500728 /* set case sensitive password length after tilen may get
729 * assigned, tilen is 0 otherwise.
730 */
731 pSMB->req_no_secext.CaseSensitivePasswordLength =
Shirish Pargaonkarf7c54452010-10-26 18:10:24 -0500732 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
Shirish Pargaonkarc9928f72010-10-04 19:56:13 -0500733
Steve French790fe572007-07-07 19:25:05 +0000734 if (ses->capabilities & CAP_UNICODE) {
735 if (iov[0].iov_len % 2) {
Steve French0223cf02006-06-27 19:50:57 +0000736 *bcc_ptr = 0;
Steve French26f57362007-08-30 22:09:15 +0000737 bcc_ptr++;
738 }
Steve French39798772006-05-31 22:40:51 +0000739 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
Steve French0223cf02006-06-27 19:50:57 +0000740 } else
Steve French39798772006-05-31 22:40:51 +0000741 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
Jeff Layton26efa0b2010-04-24 07:57:49 -0400742 } else if (type == Kerberos) {
Steve French24424212007-11-16 23:37:35 +0000743#ifdef CONFIG_CIFS_UPCALL
744 struct cifs_spnego_msg *msg;
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500745
Steve French24424212007-11-16 23:37:35 +0000746 spnego_key = cifs_get_spnego_key(ses);
747 if (IS_ERR(spnego_key)) {
748 rc = PTR_ERR(spnego_key);
749 spnego_key = NULL;
750 goto ssetup_exit;
751 }
752
753 msg = spnego_key->payload.data;
Steve French6ce5eec2008-08-26 00:37:14 +0000754 /* check version field to make sure that cifs.upcall is
755 sending us a response in an expected form */
756 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000757 cERROR(1, "incorrect version of cifs.upcall (expected"
Steve French6ce5eec2008-08-26 00:37:14 +0000758 " %d but got %d)",
Joe Perchesb6b38f72010-04-21 03:50:45 +0000759 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
Steve French6ce5eec2008-08-26 00:37:14 +0000760 rc = -EKEYREJECTED;
761 goto ssetup_exit;
762 }
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500763
764 ses->auth_key.response = kmalloc(msg->sesskey_len, GFP_KERNEL);
765 if (!ses->auth_key.response) {
766 cERROR(1, "Kerberos can't allocate (%u bytes) memory",
767 msg->sesskey_len);
768 rc = -ENOMEM;
Steve French24424212007-11-16 23:37:35 +0000769 goto ssetup_exit;
770 }
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500771 memcpy(ses->auth_key.response, msg->data, msg->sesskey_len);
Shirish Pargaonkar5d0d2882010-10-13 18:15:00 -0500772 ses->auth_key.len = msg->sesskey_len;
Shirish Pargaonkar21e73392010-10-21 06:42:55 -0500773
Steve French39798772006-05-31 22:40:51 +0000774 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
775 capabilities |= CAP_EXTENDED_SECURITY;
776 pSMB->req.Capabilities = cpu_to_le32(capabilities);
Steve French24424212007-11-16 23:37:35 +0000777 iov[1].iov_base = msg->data + msg->sesskey_len;
778 iov[1].iov_len = msg->secblob_len;
779 pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
780
781 if (ses->capabilities & CAP_UNICODE) {
782 /* unicode strings must be word aligned */
Jeff Layton28c5a022007-12-31 04:56:21 +0000783 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
Steve French24424212007-11-16 23:37:35 +0000784 *bcc_ptr = 0;
785 bcc_ptr++;
786 }
787 unicode_oslm_strings(&bcc_ptr, nls_cp);
788 unicode_domain_string(&bcc_ptr, ses, nls_cp);
789 } else
790 /* BB: is this right? */
791 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
792#else /* ! CONFIG_CIFS_UPCALL */
Joe Perchesb6b38f72010-04-21 03:50:45 +0000793 cERROR(1, "Kerberos negotiated but upcall support disabled!");
Steve French24424212007-11-16 23:37:35 +0000794 rc = -ENOSYS;
795 goto ssetup_exit;
796#endif /* CONFIG_CIFS_UPCALL */
Jeff Laytonb4d6fcf2011-01-07 11:30:28 -0500797 } else if (type == RawNTLMSSP) {
798 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
799 cERROR(1, "NTLMSSP requires Unicode support");
Steve French0b3cc8582009-05-04 08:37:12 +0000800 rc = -ENOSYS;
801 goto ssetup_exit;
802 }
Jeff Laytonb4d6fcf2011-01-07 11:30:28 -0500803
804 cFYI(1, "ntlmssp session setup phase %d", phase);
805 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
806 capabilities |= CAP_EXTENDED_SECURITY;
807 pSMB->req.Capabilities |= cpu_to_le32(capabilities);
808 switch(phase) {
809 case NtLmNegotiate:
810 build_ntlmssp_negotiate_blob(
811 pSMB->req.SecurityBlob, ses);
812 iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
813 iov[1].iov_base = pSMB->req.SecurityBlob;
814 pSMB->req.SecurityBlobLength =
815 cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
816 break;
817 case NtLmAuthenticate:
818 /*
819 * 5 is an empirical value, large enough to hold
820 * authenticate message plus max 10 of av paris,
821 * domain, user, workstation names, flags, etc.
822 */
823 ntlmsspblob = kzalloc(
824 5*sizeof(struct _AUTHENTICATE_MESSAGE),
825 GFP_KERNEL);
826 if (!ntlmsspblob) {
827 cERROR(1, "Can't allocate NTLMSSP blob");
828 rc = -ENOMEM;
829 goto ssetup_exit;
830 }
831
832 rc = build_ntlmssp_auth_blob(ntlmsspblob,
833 &blob_len, ses, nls_cp);
834 if (rc)
835 goto ssetup_exit;
836 iov[1].iov_len = blob_len;
837 iov[1].iov_base = ntlmsspblob;
838 pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
839 /*
840 * Make sure that we tell the server that we are using
841 * the uid that it just gave us back on the response
842 * (challenge)
843 */
844 smb_buf->Uid = ses->Suid;
845 break;
846 default:
847 cERROR(1, "invalid phase %d", phase);
848 rc = -ENOSYS;
849 goto ssetup_exit;
850 }
851 /* unicode strings must be word aligned */
852 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
853 *bcc_ptr = 0;
854 bcc_ptr++;
855 }
856 unicode_oslm_strings(&bcc_ptr, nls_cp);
857 } else {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000858 cERROR(1, "secType %d not supported!", type);
Steve French24424212007-11-16 23:37:35 +0000859 rc = -ENOSYS;
860 goto ssetup_exit;
Steve French39798772006-05-31 22:40:51 +0000861 }
862
Steve French24424212007-11-16 23:37:35 +0000863 iov[2].iov_base = str_area;
864 iov[2].iov_len = (long) bcc_ptr - (long) str_area;
865
866 count = iov[1].iov_len + iov[2].iov_len;
Steve Frenchbe8e3b02011-04-29 05:40:20 +0000867 smb_buf->smb_buf_length =
868 cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count);
Steve French39798772006-05-31 22:40:51 +0000869
Jeff Layton820a8032011-05-04 08:05:26 -0400870 put_bcc(count, smb_buf);
Steve French39798772006-05-31 22:40:51 +0000871
Steve French24424212007-11-16 23:37:35 +0000872 rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
Jeff Layton77499812011-01-11 07:24:23 -0500873 CIFS_LOG_ERROR);
Steve French39798772006-05-31 22:40:51 +0000874 /* SMB request buf freed in SendReceive2 */
875
Steve French39798772006-05-31 22:40:51 +0000876 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
877 smb_buf = (struct smb_hdr *)iov[0].iov_base;
878
Steve French0b3cc8582009-05-04 08:37:12 +0000879 if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
880 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
881 if (phase != NtLmNegotiate) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000882 cERROR(1, "Unexpected more processing error");
Steve French0b3cc8582009-05-04 08:37:12 +0000883 goto ssetup_exit;
884 }
885 /* NTLMSSP Negotiate sent now processing challenge (response) */
886 phase = NtLmChallenge; /* process ntlmssp challenge */
887 rc = 0; /* MORE_PROC rc is not an error here, but expected */
888 }
889 if (rc)
890 goto ssetup_exit;
891
Steve French790fe572007-07-07 19:25:05 +0000892 if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
Steve French39798772006-05-31 22:40:51 +0000893 rc = -EIO;
Joe Perchesb6b38f72010-04-21 03:50:45 +0000894 cERROR(1, "bad word count %d", smb_buf->WordCount);
Steve French39798772006-05-31 22:40:51 +0000895 goto ssetup_exit;
896 }
897 action = le16_to_cpu(pSMB->resp.Action);
898 if (action & GUEST_LOGIN)
Joe Perchesb6b38f72010-04-21 03:50:45 +0000899 cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
Steve French39798772006-05-31 22:40:51 +0000900 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
Pavel Shilovsky286170a2012-05-25 10:43:58 +0400901 cFYI(1, "UID = %llu ", ses->Suid);
Steve French39798772006-05-31 22:40:51 +0000902 /* response can have either 3 or 4 word count - Samba sends 3 */
903 /* and lanman response is 3 */
Jeff Layton690c5222011-01-20 13:36:51 -0500904 bytes_remaining = get_bcc(smb_buf);
Steve French39798772006-05-31 22:40:51 +0000905 bcc_ptr = pByteArea(smb_buf);
906
Steve French790fe572007-07-07 19:25:05 +0000907 if (smb_buf->WordCount == 4) {
Steve French39798772006-05-31 22:40:51 +0000908 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
Steve French790fe572007-07-07 19:25:05 +0000909 if (blob_len > bytes_remaining) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000910 cERROR(1, "bad security blob length %d", blob_len);
Steve French39798772006-05-31 22:40:51 +0000911 rc = -EINVAL;
912 goto ssetup_exit;
913 }
Steve French0b3cc8582009-05-04 08:37:12 +0000914 if (phase == NtLmChallenge) {
915 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
916 /* now goto beginning for ntlmssp authenticate phase */
917 if (rc)
918 goto ssetup_exit;
919 }
920 bcc_ptr += blob_len;
Steve French39798772006-05-31 22:40:51 +0000921 bytes_remaining -= blob_len;
Steve French790fe572007-07-07 19:25:05 +0000922 }
Steve French39798772006-05-31 22:40:51 +0000923
924 /* BB check if Unicode and decode strings */
Jeff Laytonfcda7f42011-04-27 13:25:51 -0400925 if (bytes_remaining == 0) {
926 /* no string area to decode, do nothing */
927 } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
Jeff Layton27b87fe2009-04-14 11:00:53 -0400928 /* unicode string area must be word-aligned */
929 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
930 ++bcc_ptr;
931 --bytes_remaining;
932 }
Jeff Layton59140792009-04-30 07:16:21 -0400933 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
Jeff Layton27b87fe2009-04-14 11:00:53 -0400934 } else {
Steve French63135e02007-07-17 17:34:02 +0000935 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
936 ses, nls_cp);
Jeff Layton27b87fe2009-04-14 11:00:53 -0400937 }
Steve French50c2f752007-07-13 00:33:32 +0000938
Steve French39798772006-05-31 22:40:51 +0000939ssetup_exit:
Jeff Laytondfd15c462008-09-24 11:32:59 -0400940 if (spnego_key) {
Jeff Layton00401ff2012-07-23 13:14:28 -0400941 key_invalidate(spnego_key);
Steve French24424212007-11-16 23:37:35 +0000942 key_put(spnego_key);
Jeff Laytondfd15c462008-09-24 11:32:59 -0400943 }
Steve French750d1152006-06-27 06:28:30 +0000944 kfree(str_area);
Shirish Pargaonkar2b149f12010-09-18 22:02:18 -0500945 kfree(ntlmsspblob);
946 ntlmsspblob = NULL;
Steve French790fe572007-07-07 19:25:05 +0000947 if (resp_buf_type == CIFS_SMALL_BUFFER) {
Joe Perchesb6b38f72010-04-21 03:50:45 +0000948 cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
Steve French39798772006-05-31 22:40:51 +0000949 cifs_small_buf_release(iov[0].iov_base);
Steve French790fe572007-07-07 19:25:05 +0000950 } else if (resp_buf_type == CIFS_LARGE_BUFFER)
Steve French39798772006-05-31 22:40:51 +0000951 cifs_buf_release(iov[0].iov_base);
952
Steve French0b3cc8582009-05-04 08:37:12 +0000953 /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
954 if ((phase == NtLmChallenge) && (rc == 0))
955 goto ssetup_ntlmssp_authenticate;
956
Steve French39798772006-05-31 22:40:51 +0000957 return rc;
958}