[deliverable/linux.git] / fs / cifs / sess.c

/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
 *   Copyright (c) International Business Machines  Corp., 2006
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
#include <linux/utsname.h>

extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
                         unsigned char *p24);

static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
	/* note that header is initialized to zero in header_assemble */
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

	/* BB verify whether signing required on neg or just on auth frame 
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

	if(ses->server->secMode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
	if (ses->capabilities & CAP_UNIX) {
		capabilities |= CAP_UNIX;
	}

	/* BB check whether to init vcnum BB */
	return capabilities;
}

static void unicode_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
			    const struct nls_table * nls_cp)
{
	char * bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
		*bcc_ptr = 0;
		bcc_ptr++;
	} */
	/* copy user */
	if(ses->userName == NULL) {
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
	} else { /* 300 should be long enough for any conceivable user name */
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
					  300, nls_cp);
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */
	/* copy domain */
	if(ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName, 
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
                                  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void ascii_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
			  const struct nls_table * nls_cp)
{
	char * bcc_ptr = *pbcc_area;

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
        /* copy user */
        if(ses->userName == NULL) {
                /* BB what about null user mounts - check that we do this BB */
        } else { /* 300 should be long enough for any conceivable user name */
                strncpy(bcc_ptr, ses->userName, 300);
        }
	/* BB improve check for overflow */
        bcc_ptr += strnlen(ses->userName, 300);
	*bcc_ptr = 0;
        bcc_ptr++; /* account for null termination */

        /* copy domain */
	
        if(ses->domainName != NULL) {
                strncpy(bcc_ptr, ses->domainName, 256); 
		bcc_ptr += strnlen(ses->domainName, 256);
	} /* else we will send a null domain name 
	     so the server will default to its own domain */
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

        *pbcc_area = bcc_ptr;
}

static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
                            const struct nls_table * nls_cp)
{
	int rc = 0;
	int words_left, len;
	char * data = *pbcc_area;


	cFYI(1,("bleft %d",bleft));


	/* SMB header is unaligned, so cifs servers word align start of
	   Unicode strings */
	data++;
	bleft--; /* Windows servers do not always double null terminate
		    their final Unicode string - in which case we
		    now will not attempt to decode the byte of junk
		    which follows it */
		    
	words_left = bleft / 2;

	/* save off server operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

/* We look for obvious messed up bcc or strings in response so we do not go off
   the end since (at least) WIN2K and Windows XP have a major bug in not null
   terminating last Unicode string in response  */
	if(len >= words_left)
		return rc;

	if(ses->serverOS)
		kfree(ses->serverOS);
	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
	if(ses->serverOS != NULL) {
		cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
				   nls_cp);
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	/* save off server network operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

	if(len >= words_left)
		return rc;

	if(ses->serverNOS)
		kfree(ses->serverNOS);
	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
	if(ses->serverNOS != NULL) {
		cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
				   nls_cp);
		if(strncmp(ses->serverNOS, "NT LAN Manager 4",16) == 0) {
			cFYI(1,("NT4 server"));
			ses->flags |= CIFS_SES_NT4;
		}
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

        /* save off server domain */
        len = UniStrnlen((wchar_t *) data, words_left);

        if(len > words_left)
                return rc;

        if(ses->serverDomain)
                kfree(ses->serverDomain);
        ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
        if(ses->serverDomain != NULL) {
                cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
                                   nls_cp);
                ses->serverDomain[2*len] = 0;
                ses->serverDomain[(2*len) + 1] = 0;
        }
        data += 2 * (len + 1);
        words_left -= len + 1;
	
	cFYI(1,("words left: %d",words_left));

	return rc;
}

static int decode_ascii_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
                            const struct nls_table * nls_cp)
{
	int rc = 0;
	int len;
	char * bcc_ptr = *pbcc_area;

	cFYI(1,("decode sessetup ascii. bleft %d", bleft));
	
	len = strnlen(bcc_ptr, bleft);
	if(len >= bleft)
		return rc;
	
	if(ses->serverOS)
		kfree(ses->serverOS);

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
	if(ses->serverOS)
		strncpy(ses->serverOS, bcc_ptr, len);
	if(strncmp(ses->serverOS, "OS/2",4) == 0) {
			cFYI(1,("OS/2 server"));
			ses->flags |= CIFS_SES_OS2;
	}

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
	if(len >= bleft)
		return rc;

	if(ses->serverNOS)
		kfree(ses->serverNOS);

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
	if(ses->serverNOS)
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

        len = strnlen(bcc_ptr, bleft);
        if(len > bleft)
                return rc;

	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
	cFYI(1,("ascii: bytes left %d",bleft));

	return rc;
}

int 
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
		const struct nls_table *nls_cp)
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
	char *str_area;
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
	int resp_buf_type = 0;
	struct kvec iov[2];
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;

	if(ses == NULL)
		return -EINVAL;

	type = ses->server->secType;

	cFYI(1,("sess setup type %d",type));
	if(type == LANMAN) {
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
	} else if((type == NTLM) || (type == NTLMv2)) { 
		/* For NTLMv2 failures eventually may need to retry NTLM */
		wct = 13; /* old style NTLM sessionsetup */
	} else /* same size for negotiate or auth, NTLMSSP or extended security */
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
	if(rc)
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);

	/* we will send the SMB in two pieces,
	a fixed length beginning part, and a
	second part which will include the strings
	and rest of bcc area, in order to avoid having
	to do a large buffer 17K allocation */
        iov[0].iov_base = (char *)pSMB;
        iov[0].iov_len = smb_buf->smb_buf_length + 4;

	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
	bcc_ptr = str_area;

	ses->flags &= ~CIFS_SES_LANMAN;

	if(type == LANMAN) {
#ifdef CONFIG_CIFS_WEAK_PW_HASH
		char lnm_session_key[CIFS_SESS_KEY_SIZE];

		/* no capabilities flags in old lanman negotiation */

		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE); 
		/* BB calculate hash with password */
		/* and copy into bcc */

		calc_lanman_hash(ses, lnm_session_key);
		ses->flags |= CIFS_SES_LANMAN; 
/* #ifdef CONFIG_CIFS_DEBUG2
		cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
			CIFS_SESS_KEY_SIZE);
#endif */
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

		cFYI(1,("Negotiating LANMAN setting up strings"));
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#endif    
	} else if (type == NTLM) {
		char ntlm_session_key[CIFS_SESS_KEY_SIZE];

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
		pSMB->req_no_secext.CaseSensitivePasswordLength =
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
	
		/* calculate session key */
		SMBNTencrypt(ses->password, ses->server->cryptKey,
			     ntlm_session_key);

		if(first_time) /* should this be moved into common code 
				  with similar ntlmv2 path? */
			cifs_calculate_mac_key(ses->server->mac_signing_key,
				ntlm_session_key, ses->password);
		/* copy session key */

		memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
		memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
		if(ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
				bcc_ptr++;		
			}	
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
		} else
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
		char * v2_sess_key = 
			kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);

		/* BB FIXME change all users of v2_sess_key to
		   struct ntlmv2_resp */

		if(v2_sess_key == NULL) {
			cifs_small_buf_release(smb_buf);
			return -ENOMEM;
		}

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
		/*	cpu_to_le16(LM2_SESS_KEY_SIZE); */

		pSMB->req_no_secext.CaseSensitivePasswordLength =
			cpu_to_le16(sizeof(struct ntlmv2_resp));

		/* calculate session key */
		setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
		if(first_time) /* should this be moved into common code
			          with similar ntlmv2 path? */
		/*   cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
				response BB FIXME, v2_sess_key); */

		/* copy session key */

	/*	memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
		bcc_ptr += LM2_SESS_KEY_SIZE; */
		memcpy(bcc_ptr, (char *)v2_sess_key, sizeof(struct ntlmv2_resp));
		bcc_ptr += sizeof(struct ntlmv2_resp);
		kfree(v2_sess_key);
		if(ses->capabilities & CAP_UNICODE) {
			if(iov[0].iov_len % 2) {
				*bcc_ptr = 0;
			}	bcc_ptr++;
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
		} else
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else /* NTLMSSP or SPNEGO */ {
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
		/* BB set password lengths */
	}

	count = (long) bcc_ptr - (long) str_area;
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

	iov[1].iov_base = str_area;
	iov[1].iov_len = count; 
	rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
	/* SMB request buf freed in SendReceive2 */

	cFYI(1,("ssetup rc from sendrecv2 is %d",rc));
	if(rc)
		goto ssetup_exit;

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

	if((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
		rc = -EIO;
		cERROR(1,("bad word count %d", smb_buf->WordCount));
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
		cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
	cFYI(1, ("UID = %d ", ses->Suid));
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

	if(smb_buf->WordCount == 4) {
		__u16 blob_len;
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
		bcc_ptr += blob_len;
		if(blob_len > bytes_remaining) {
			cERROR(1,("bad security blob length %d", blob_len));
			rc = -EINVAL;
			goto ssetup_exit;
		}
		bytes_remaining -= blob_len;
	}	

	/* BB check if Unicode and decode strings */
	if(smb_buf->Flags2 & SMBFLG2_UNICODE)
		rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
						   ses, nls_cp);
	else
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
	
ssetup_exit:
	kfree(str_area);
	if(resp_buf_type == CIFS_SMALL_BUFFER) {
		cFYI(1,("ssetup freeing small buf %p", iov[0].iov_base));
		cifs_small_buf_release(iov[0].iov_base);
	} else if(resp_buf_type == CIFS_LARGE_BUFFER)
		cifs_buf_release(iov[0].iov_base);

	return rc;
}
Commit	Line	Data
3979877e SF	1	/*
	2	* fs/cifs/sess.c
	3	*
	4	* SMB/CIFS session setup handling routines
	5	*
	6	* Copyright (c) International Business Machines Corp., 2006
	7	* Author(s): Steve French (sfrench@us.ibm.com)
	8	*
	9	* This library is free software; you can redistribute it and/or modify
	10	* it under the terms of the GNU Lesser General Public License as published
	11	* by the Free Software Foundation; either version 2.1 of the License, or
	12	* (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	17	* the GNU Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public License
	20	* along with this library; if not, write to the Free Software
	21	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	22	*/
	23
	24	#include "cifspdu.h"
	25	#include "cifsglob.h"
	26	#include "cifsproto.h"
	27	#include "cifs_unicode.h"
	28	#include "cifs_debug.h"
	29	#include "ntlmssp.h"
	30	#include "nterr.h"
9c53588e	31	#include <linux/utsname.h>
3979877e	32
3979877e SF	33	extern void SMBNTencrypt(unsigned char passwd, unsigned char c8,
	34	unsigned char *p24);
	35
3979877e SF	36	static __u32 cifs_ssetup_hdr(struct cifsSesInfo ses, SESSION_SETUP_ANDX pSMB)
	37	{
	38	__u32 capabilities = 0;
	39
	40	/* init fields common to all four types of SessSetup */
	41	/* note that header is initialized to zero in header_assemble */
	42	pSMB->req.AndXCommand = 0xFF;
	43	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	44	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
	45
	46	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
	47
	48	/* BB verify whether signing required on neg or just on auth frame
	49	(and NTLM case) */
	50
	51	capabilities = CAP_LARGE_FILES \| CAP_NT_SMBS \| CAP_LEVEL_II_OPLOCKS \|
	52	CAP_LARGE_WRITE_X \| CAP_LARGE_READ_X;
	53
	54	if(ses->server->secMode & (SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
	55	pSMB->req.hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
	56
	57	if (ses->capabilities & CAP_UNICODE) {
	58	pSMB->req.hdr.Flags2 \|= SMBFLG2_UNICODE;
	59	capabilities \|= CAP_UNICODE;
	60	}
	61	if (ses->capabilities & CAP_STATUS32) {
	62	pSMB->req.hdr.Flags2 \|= SMBFLG2_ERR_STATUS;
	63	capabilities \|= CAP_STATUS32;
	64	}
	65	if (ses->capabilities & CAP_DFS) {
	66	pSMB->req.hdr.Flags2 \|= SMBFLG2_DFS;
	67	capabilities \|= CAP_DFS;
	68	}
	69	if (ses->capabilities & CAP_UNIX) {
	70	capabilities \|= CAP_UNIX;
	71	}
	72
	73	/* BB check whether to init vcnum BB */
	74	return capabilities;
	75	}
	76
7c7b25bc	77	static void unicode_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
3979877e SF	78	const struct nls_table * nls_cp)
	79	{
	80	char * bcc_ptr = *pbcc_area;
	81	int bytes_ret = 0;
	82
	83	/* BB FIXME add check that strings total less
	84	than 335 or will need to send them as arrays */
	85
0223cf0b SF	86	/* unicode strings, must be word aligned before the call */
0223cf0b SF	87	/* if ((long) bcc_ptr % 2) {
3979877e SF	88	*bcc_ptr = 0;
3979877e SF	89	bcc_ptr++;
0223cf0b	90	} */
3979877e SF	91	/* copy user */
3979877e SF	92	if(ses->userName == NULL) {
6e659c63 SF	93	/* null user mount */
	94	*bcc_ptr = 0;
	95	*(bcc_ptr+1) = 0;
3979877e SF	96	} else { /* 300 should be long enough for any conceivable user name */
	97	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
	98	300, nls_cp);
	99	}
	100	bcc_ptr += 2 * bytes_ret;
	101	bcc_ptr += 2; /* account for null termination */
	102	/* copy domain */
6e659c63 SF	103	if(ses->domainName == NULL) {
	104	/* Sending null domain better than using a bogus domain name (as
	105	we did briefly in 2.6.18) since server will use its default */
	106	*bcc_ptr = 0;
	107	*(bcc_ptr+1) = 0;
	108	bytes_ret = 0;
	109	} else
3979877e SF	110	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
	111	256, nls_cp);
	112	bcc_ptr += 2 * bytes_ret;
	113	bcc_ptr += 2; /* account for null terminator */
	114
	115	/* Copy OS version */
	116	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
	117	nls_cp);
	118	bcc_ptr += 2 * bytes_ret;
96b644bd	119	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
3979877e SF	120	32, nls_cp);
	121	bcc_ptr += 2 * bytes_ret;
	122	bcc_ptr += 2; /* trailing null */
	123
	124	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
	125	32, nls_cp);
	126	bcc_ptr += 2 * bytes_ret;
	127	bcc_ptr += 2; /* trailing null */
	128
	129	*pbcc_area = bcc_ptr;
	130	}
	131
7c7b25bc	132	static void ascii_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
3979877e SF	133	const struct nls_table * nls_cp)
	134	{
	135	char * bcc_ptr = *pbcc_area;
	136
	137	/* copy user */
	138	/* BB what about null user mounts - check that we do this BB */
	139	/* copy user */
	140	if(ses->userName == NULL) {
	141	/* BB what about null user mounts - check that we do this BB */
	142	} else { /* 300 should be long enough for any conceivable user name */
	143	strncpy(bcc_ptr, ses->userName, 300);
	144	}
	145	/* BB improve check for overflow */
750d1151	146	bcc_ptr += strnlen(ses->userName, 300);
3979877e SF	147	*bcc_ptr = 0;
	148	bcc_ptr++; /* account for null termination */
	149
	150	/* copy domain */
	151
6e659c63	152	if(ses->domainName != NULL) {
3979877e SF	153	strncpy(bcc_ptr, ses->domainName, 256);
3979877e SF	154	bcc_ptr += strnlen(ses->domainName, 256);
6e659c63 SF	155	} /* else we will send a null domain name
6e659c63 SF	156	so the server will default to its own domain */
3979877e SF	157	*bcc_ptr = 0;
	158	bcc_ptr++;
	159
	160	/* BB check for overflow here */
	161
	162	strcpy(bcc_ptr, "Linux version ");
	163	bcc_ptr += strlen("Linux version ");
96b644bd SH	164	strcpy(bcc_ptr, init_utsname()->release);
96b644bd SH	165	bcc_ptr += strlen(init_utsname()->release) + 1;
3979877e SF	166
	167	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	168	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
	169
	170	*pbcc_area = bcc_ptr;
	171	}
	172
7c7b25bc	173	static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
3979877e SF	174	const struct nls_table * nls_cp)
	175	{
	176	int rc = 0;
	177	int words_left, len;
	178	char * data = *pbcc_area;
	179
	180
	181
	182	cFYI(1,("bleft %d",bleft));
	183
	184
8e6f195a SF	185	/* SMB header is unaligned, so cifs servers word align start of
	186	Unicode strings */
	187	data++;
	188	bleft--; /* Windows servers do not always double null terminate
	189	their final Unicode string - in which case we
	190	now will not attempt to decode the byte of junk
	191	which follows it */
	192
3979877e SF	193	words_left = bleft / 2;
	194
	195	/* save off server operating system */
	196	len = UniStrnlen((wchar_t *) data, words_left);
	197
	198	/* We look for obvious messed up bcc or strings in response so we do not go off
	199	the end since (at least) WIN2K and Windows XP have a major bug in not null
	200	terminating last Unicode string in response */
	201	if(len >= words_left)
	202	return rc;
	203
	204	if(ses->serverOS)
	205	kfree(ses->serverOS);
	206	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	207	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
	208	if(ses->serverOS != NULL) {
	209	cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
	210	nls_cp);
	211	}
	212	data += 2 * (len + 1);
	213	words_left -= len + 1;
	214
	215	/* save off server network operating system */
	216	len = UniStrnlen((wchar_t *) data, words_left);
	217
	218	if(len >= words_left)
	219	return rc;
	220
	221	if(ses->serverNOS)
	222	kfree(ses->serverNOS);
	223	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
	224	if(ses->serverNOS != NULL) {
	225	cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
	226	nls_cp);
	227	if(strncmp(ses->serverNOS, "NT LAN Manager 4",16) == 0) {
	228	cFYI(1,("NT4 server"));
	229	ses->flags \|= CIFS_SES_NT4;
	230	}
	231	}
	232	data += 2 * (len + 1);
	233	words_left -= len + 1;
	234
	235	/* save off server domain */
	236	len = UniStrnlen((wchar_t *) data, words_left);
	237
	238	if(len > words_left)
	239	return rc;
	240
	241	if(ses->serverDomain)
	242	kfree(ses->serverDomain);
	243	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
	244	if(ses->serverDomain != NULL) {
	245	cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
	246	nls_cp);
	247	ses->serverDomain[2*len] = 0;
	248	ses->serverDomain[(2*len) + 1] = 0;
	249	}
	250	data += 2 * (len + 1);
	251	words_left -= len + 1;
	252
	253	cFYI(1,("words left: %d",words_left));
	254
	255	return rc;
	256	}
257
7c7b25bc	258	static int decode_ascii_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
3979877e SF	259	const struct nls_table * nls_cp)
	260	{
	261	int rc = 0;
	262	int len;
	263	char * bcc_ptr = *pbcc_area;
	264
	265	cFYI(1,("decode sessetup ascii. bleft %d", bleft));
	266
	267	len = strnlen(bcc_ptr, bleft);
	268	if(len >= bleft)
	269	return rc;
	270
	271	if(ses->serverOS)
	272	kfree(ses->serverOS);
	273
	274	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
	275	if(ses->serverOS)
	276	strncpy(ses->serverOS, bcc_ptr, len);
9ac00b7d SF	277	if(strncmp(ses->serverOS, "OS/2",4) == 0) {
	278	cFYI(1,("OS/2 server"));
	279	ses->flags \|= CIFS_SES_OS2;
	280	}
3979877e SF	281
	282	bcc_ptr += len + 1;
	283	bleft -= len + 1;
	284
	285	len = strnlen(bcc_ptr, bleft);
	286	if(len >= bleft)
	287	return rc;
	288
	289	if(ses->serverNOS)
	290	kfree(ses->serverNOS);
	291
	292	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
	293	if(ses->serverNOS)
	294	strncpy(ses->serverNOS, bcc_ptr, len);
	295
	296	bcc_ptr += len + 1;
	297	bleft -= len + 1;
	298
	299	len = strnlen(bcc_ptr, bleft);
	300	if(len > bleft)
	301	return rc;
	302
9ac00b7d SF	303	/* No domain field in LANMAN case. Domain is
	304	returned by old servers in the SMB negprot response */
	305	/* BB For newer servers which do not support Unicode,
	306	but thus do return domain here we could add parsing
	307	for it later, but it is not very important */
3979877e SF	308	cFYI(1,("ascii: bytes left %d",bleft));
	309
	310	return rc;
	311	}
	312
	313	int
	314	CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
	315	const struct nls_table *nls_cp)
	316	{
	317	int rc = 0;
	318	int wct;
3979877e SF	319	struct smb_hdr *smb_buf;
3979877e SF	320	char *bcc_ptr;
750d1151	321	char *str_area;
3979877e SF	322	SESSION_SETUP_ANDX *pSMB;
	323	__u32 capabilities;
	324	int count;
	325	int resp_buf_type = 0;
750d1151	326	struct kvec iov[2];
3979877e SF	327	enum securityEnum type;
	328	__u16 action;
	329	int bytes_remaining;
254e55ed	330
3979877e SF	331	if(ses == NULL)
	332	return -EINVAL;
	333
	334	type = ses->server->secType;
f40c5628 SF	335
f40c5628 SF	336	cFYI(1,("sess setup type %d",type));
3979877e SF	337	if(type == LANMAN) {
	338	#ifndef CONFIG_CIFS_WEAK_PW_HASH
	339	/* LANMAN and plaintext are less secure and off by default.
	340	So we make this explicitly be turned on in kconfig (in the
	341	build) and turned on at runtime (changed from the default)
	342	in proc/fs/cifs or via mount parm. Unfortunately this is
	343	needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
	344	return -EOPNOTSUPP;
	345	#endif
	346	wct = 10; /* lanman 2 style sessionsetup */
9312f675 SF	347	} else if((type == NTLM) \|\| (type == NTLMv2)) {
9312f675 SF	348	/* For NTLMv2 failures eventually may need to retry NTLM */
3979877e	349	wct = 13; /* old style NTLM sessionsetup */
9312f675	350	} else /* same size for negotiate or auth, NTLMSSP or extended security */
3979877e SF	351	wct = 12;
	352
	353	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
	354	(void **)&smb_buf);
	355	if(rc)
	356	return rc;
	357
	358	pSMB = (SESSION_SETUP_ANDX *)smb_buf;
	359
	360	capabilities = cifs_ssetup_hdr(ses, pSMB);
750d1151 SF	361
	362	/* we will send the SMB in two pieces,
	363	a fixed length beginning part, and a
	364	second part which will include the strings
	365	and rest of bcc area, in order to avoid having
	366	to do a large buffer 17K allocation */
	367	iov[0].iov_base = (char *)pSMB;
	368	iov[0].iov_len = smb_buf->smb_buf_length + 4;
	369
	370	/* 2000 big enough to fit max user, domain, NOS name etc. */
	371	str_area = kmalloc(2000, GFP_KERNEL);
	372	bcc_ptr = str_area;
3979877e	373
9ac00b7d SF	374	ses->flags &= ~CIFS_SES_LANMAN;
9ac00b7d SF	375
3979877e SF	376	if(type == LANMAN) {
3979877e SF	377	#ifdef CONFIG_CIFS_WEAK_PW_HASH
7c7b25bc	378	char lnm_session_key[CIFS_SESS_KEY_SIZE];
3979877e SF	379
	380	/* no capabilities flags in old lanman negotiation */
	381
5ddaa683	382	pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e SF	383	/* BB calculate hash with password */
	384	/* and copy into bcc */
	385
7c7b25bc	386	calc_lanman_hash(ses, lnm_session_key);
9ac00b7d	387	ses->flags \|= CIFS_SES_LANMAN;
750d1151	388	/* #ifdef CONFIG_CIFS_DEBUG2
3979877e	389	cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
7c7b25bc	390	CIFS_SESS_KEY_SIZE);
750d1151	391	#endif */
7c7b25bc SF	392	memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc SF	393	bcc_ptr += CIFS_SESS_KEY_SIZE;
3979877e SF	394
	395	/* can not sign if LANMAN negotiated so no need
	396	to calculate signing key? but what if server
	397	changed to do higher than lanman dialect and
	398	we reconnected would we ever calc signing_key? */
	399
750d1151	400	cFYI(1,("Negotiating LANMAN setting up strings"));
3979877e SF	401	/* Unicode not allowed for LANMAN dialects */
	402	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	403	#endif
	404	} else if (type == NTLM) {
7c7b25bc	405	char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3979877e SF	406
	407	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
	408	pSMB->req_no_secext.CaseInsensitivePasswordLength =
7c7b25bc	409	cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e	410	pSMB->req_no_secext.CaseSensitivePasswordLength =
7c7b25bc	411	cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e SF	412
	413	/* calculate session key */
	414	SMBNTencrypt(ses->password, ses->server->cryptKey,
	415	ntlm_session_key);
	416
	417	if(first_time) /* should this be moved into common code
	418	with similar ntlmv2 path? */
750d1151	419	cifs_calculate_mac_key(ses->server->mac_signing_key,
3979877e SF	420	ntlm_session_key, ses->password);
	421	/* copy session key */
	422
7c7b25bc SF	423	memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
	424	bcc_ptr += CIFS_SESS_KEY_SIZE;
	425	memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
	426	bcc_ptr += CIFS_SESS_KEY_SIZE;
0223cf0b SF	427	if(ses->capabilities & CAP_UNICODE) {
	428	/* unicode strings must be word aligned */
	429	if (iov[0].iov_len % 2) {
	430	*bcc_ptr = 0;
	431	bcc_ptr++;
	432	}
7c7b25bc	433	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b	434	} else
7c7b25bc SF	435	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
7c7b25bc SF	436	} else if (type == NTLMv2) {
6d027cfd SF	437	char * v2_sess_key =
6d027cfd SF	438	kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
f64b23ae SF	439
	440	/* BB FIXME change all users of v2_sess_key to
	441	struct ntlmv2_resp */
7c7b25bc SF	442
	443	if(v2_sess_key == NULL) {
	444	cifs_small_buf_release(smb_buf);
	445	return -ENOMEM;
	446	}
	447
	448	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
	449
	450	/* LM2 password would be here if we supported it */
	451	pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
	452	/* cpu_to_le16(LM2_SESS_KEY_SIZE); */
	453
	454	pSMB->req_no_secext.CaseSensitivePasswordLength =
f64b23ae	455	cpu_to_le16(sizeof(struct ntlmv2_resp));
7c7b25bc SF	456
7c7b25bc SF	457	/* calculate session key */
1717ffc5	458	setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
7c7b25bc SF	459	if(first_time) /* should this be moved into common code
	460	with similar ntlmv2 path? */
	461	/* cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
	462	response BB FIXME, v2_sess_key); */
	463
	464	/* copy session key */
	465
	466	/* memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
	467	bcc_ptr += LM2_SESS_KEY_SIZE; */
f64b23ae SF	468	memcpy(bcc_ptr, (char *)v2_sess_key, sizeof(struct ntlmv2_resp));
	469	bcc_ptr += sizeof(struct ntlmv2_resp);
	470	kfree(v2_sess_key);
0223cf0b SF	471	if(ses->capabilities & CAP_UNICODE) {
	472	if(iov[0].iov_len % 2) {
	473	*bcc_ptr = 0;
	474	} bcc_ptr++;
3979877e	475	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b	476	} else
3979877e SF	477	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	478	} else /* NTLMSSP or SPNEGO */ {
	479	pSMB->req.hdr.Flags2 \|= SMBFLG2_EXT_SEC;
	480	capabilities \|= CAP_EXTENDED_SECURITY;
	481	pSMB->req.Capabilities = cpu_to_le32(capabilities);
	482	/* BB set password lengths */
	483	}
	484
750d1151	485	count = (long) bcc_ptr - (long) str_area;
3979877e SF	486	smb_buf->smb_buf_length += count;
3979877e SF	487
3979877e SF	488	BCC_LE(smb_buf) = cpu_to_le16(count);
3979877e SF	489
750d1151 SF	490	iov[1].iov_base = str_area;
	491	iov[1].iov_len = count;
	492	rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
3979877e SF	493	/* SMB request buf freed in SendReceive2 */
	494
	495	cFYI(1,("ssetup rc from sendrecv2 is %d",rc));
	496	if(rc)
	497	goto ssetup_exit;
	498
	499	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	500	smb_buf = (struct smb_hdr *)iov[0].iov_base;
	501
	502	if((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
	503	rc = -EIO;
	504	cERROR(1,("bad word count %d", smb_buf->WordCount));
	505	goto ssetup_exit;
	506	}
	507	action = le16_to_cpu(pSMB->resp.Action);
	508	if (action & GUEST_LOGIN)
189acaae	509	cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
3979877e SF	510	ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
	511	cFYI(1, ("UID = %d ", ses->Suid));
	512	/* response can have either 3 or 4 word count - Samba sends 3 */
	513	/* and lanman response is 3 */
	514	bytes_remaining = BCC(smb_buf);
	515	bcc_ptr = pByteArea(smb_buf);
	516
	517	if(smb_buf->WordCount == 4) {
	518	__u16 blob_len;
	519	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
	520	bcc_ptr += blob_len;
	521	if(blob_len > bytes_remaining) {
	522	cERROR(1,("bad security blob length %d", blob_len));
	523	rc = -EINVAL;
	524	goto ssetup_exit;
	525	}
	526	bytes_remaining -= blob_len;
	527	}
	528
	529	/* BB check if Unicode and decode strings */
	530	if(smb_buf->Flags2 & SMBFLG2_UNICODE)
	531	rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
	532	ses, nls_cp);
	533	else
	534	rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
	535
	536	ssetup_exit:
750d1151	537	kfree(str_area);
3979877e SF	538	if(resp_buf_type == CIFS_SMALL_BUFFER) {
	539	cFYI(1,("ssetup freeing small buf %p", iov[0].iov_base));
	540	cifs_small_buf_release(iov[0].iov_base);
	541	} else if(resp_buf_type == CIFS_LARGE_BUFFER)
	542	cifs_buf_release(iov[0].iov_base);
	543
	544	return rc;
	545	}