[deliverable/linux.git] / fs / cifs / sess.c

/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
 *   Copyright (c) International Business Machines  Corp., 2006, 2007
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
#include <linux/utsname.h>

extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
			 unsigned char *p24);

static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
	/* note that header is initialized to zero in header_assemble */
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

	/* BB verify whether signing required on neg or just on auth frame
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

	if (ses->server->secMode &
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
	if (ses->capabilities & CAP_UNIX) {
		capabilities |= CAP_UNIX;
	}

	/* BB check whether to init vcnum BB */
	return capabilities;
}

static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
		*bcc_ptr = 0;
		bcc_ptr++;
	} */
	/* copy user */
	if (ses->userName == NULL) {
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
	} else { /* 300 should be long enough for any conceivable user name */
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
					  300, nls_cp);
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */
	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
				 const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
	/* copy user */
	if (ses->userName == NULL) {
		/* BB what about null user mounts - check that we do this BB */
	} else { /* 300 should be long enough for any conceivable user name */
		strncpy(bcc_ptr, ses->userName, 300);
	}
	/* BB improve check for overflow */
	bcc_ptr += strnlen(ses->userName, 300);
	*bcc_ptr = 0;
	bcc_ptr++; /* account for null termination */

	/* copy domain */

	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
		bcc_ptr += strnlen(ses->domainName, 256);
	} /* else we will send a null domain name
	     so the server will default to its own domain */
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

	*pbcc_area = bcc_ptr;
}

static int decode_unicode_ssetup(char **pbcc_area, int bleft,
				 struct cifsSesInfo *ses,
				 const struct nls_table *nls_cp)
{
	int rc = 0;
	int words_left, len;
	char *data = *pbcc_area;


	cFYI(1, ("bleft %d", bleft));


	/* SMB header is unaligned, so cifs servers word align start of
	   Unicode strings */
	data++;
	bleft--; /* Windows servers do not always double null terminate
		    their final Unicode string - in which case we
		    now will not attempt to decode the byte of junk
		    which follows it */

	words_left = bleft / 2;

	/* save off server operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

/* We look for obvious messed up bcc or strings in response so we do not go off
   the end since (at least) WIN2K and Windows XP have a major bug in not null
   terminating last Unicode string in response  */
	if (len >= words_left)
		return rc;

	if (ses->serverOS)
		kfree(ses->serverOS);
	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
	if (ses->serverOS != NULL) {
		cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
				   nls_cp);
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	/* save off server network operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

	if (len >= words_left)
		return rc;

	if (ses->serverNOS)
		kfree(ses->serverNOS);
	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
	if (ses->serverNOS != NULL) {
		cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
				   nls_cp);
		if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
			cFYI(1, ("NT4 server"));
			ses->flags |= CIFS_SES_NT4;
		}
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	/* save off server domain */
	len = UniStrnlen((wchar_t *) data, words_left);

	if (len > words_left)
		return rc;

	if (ses->serverDomain)
		kfree(ses->serverDomain);
	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
	if (ses->serverDomain != NULL) {
		cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
				   nls_cp);
		ses->serverDomain[2*len] = 0;
		ses->serverDomain[(2*len) + 1] = 0;
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	cFYI(1, ("words left: %d", words_left));

	return rc;
}

static int decode_ascii_ssetup(char **pbcc_area, int bleft,
			       struct cifsSesInfo *ses,
			       const struct nls_table *nls_cp)
{
	int rc = 0;
	int len;
	char *bcc_ptr = *pbcc_area;

	cFYI(1, ("decode sessetup ascii. bleft %d", bleft));

	len = strnlen(bcc_ptr, bleft);
	if (len >= bleft)
		return rc;

	if (ses->serverOS)
		kfree(ses->serverOS);

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
	if (ses->serverOS)
		strncpy(ses->serverOS, bcc_ptr, len);
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
			cFYI(1, ("OS/2 server"));
			ses->flags |= CIFS_SES_OS2;
	}

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
	if (len >= bleft)
		return rc;

	if (ses->serverNOS)
		kfree(ses->serverNOS);

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
	if (ses->serverNOS)
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;

	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
	cFYI(1, ("ascii: bytes left %d", bleft));

	return rc;
}

int
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
		const struct nls_table *nls_cp)
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
	char *str_area;
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
	int resp_buf_type = 0;
	struct kvec iov[2];
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;

	if (ses == NULL)
		return -EINVAL;

	type = ses->server->secType;

	cFYI(1, ("sess setup type %d", type));
	if (type == LANMAN) {
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
	} else if ((type == NTLM) || (type == NTLMv2)) {
		/* For NTLMv2 failures eventually may need to retry NTLM */
		wct = 13; /* old style NTLM sessionsetup */
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
	if (rc)
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);

	/* we will send the SMB in two pieces,
	a fixed length beginning part, and a
	second part which will include the strings
	and rest of bcc area, in order to avoid having
	to do a large buffer 17K allocation */
	iov[0].iov_base = (char *)pSMB;
	iov[0].iov_len = smb_buf->smb_buf_length + 4;

	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
	if (str_area == NULL) {
		cifs_small_buf_release(smb_buf);
		return -ENOMEM;
	}
	bcc_ptr = str_area;

	ses->flags &= ~CIFS_SES_LANMAN;

	if (type == LANMAN) {
#ifdef CONFIG_CIFS_WEAK_PW_HASH
		char lnm_session_key[CIFS_SESS_KEY_SIZE];

		/* no capabilities flags in old lanman negotiation */

		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
		/* BB calculate hash with password */
		/* and copy into bcc */

		calc_lanman_hash(ses, lnm_session_key);
		ses->flags |= CIFS_SES_LANMAN;
/* #ifdef CONFIG_CIFS_DEBUG2
		cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
			CIFS_SESS_KEY_SIZE);
#endif */
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

		cFYI(1, ("Negotiating LANMAN setting up strings"));
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#endif
	} else if (type == NTLM) {
		char ntlm_session_key[CIFS_SESS_KEY_SIZE];

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
		pSMB->req_no_secext.CaseSensitivePasswordLength =
			cpu_to_le16(CIFS_SESS_KEY_SIZE);

		/* calculate session key */
		SMBNTencrypt(ses->password, ses->server->cryptKey,
			     ntlm_session_key);

		if (first_time) /* should this be moved into common code
				  with similar ntlmv2 path? */
			cifs_calculate_mac_key(&ses->server->mac_signing_key,
				ntlm_session_key, ses->password);
		/* copy session key */

		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
		} else
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
		char *v2_sess_key =
			kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);

		/* BB FIXME change all users of v2_sess_key to
		   struct ntlmv2_resp */

		if (v2_sess_key == NULL) {
			cifs_small_buf_release(smb_buf);
			return -ENOMEM;
		}

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
		/*	cpu_to_le16(LM2_SESS_KEY_SIZE); */

		pSMB->req_no_secext.CaseSensitivePasswordLength =
			cpu_to_le16(sizeof(struct ntlmv2_resp));

		/* calculate session key */
		setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
		if (first_time) /* should this be moved into common code
				   with similar ntlmv2 path? */
		/*   cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
				response BB FIXME, v2_sess_key); */

		/* copy session key */

	/*	memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
		bcc_ptr += LM2_SESS_KEY_SIZE; */
		memcpy(bcc_ptr, (char *)v2_sess_key,
		       sizeof(struct ntlmv2_resp));
		bcc_ptr += sizeof(struct ntlmv2_resp);
		kfree(v2_sess_key);
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
			}	bcc_ptr++;
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
		} else
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else /* NTLMSSP or SPNEGO */ {
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
		/* BB set password lengths */
	}

	count = (long) bcc_ptr - (long) str_area;
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

	iov[1].iov_base = str_area;
	iov[1].iov_len = count;
	rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
	/* SMB request buf freed in SendReceive2 */

	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
	if (rc)
		goto ssetup_exit;

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
		rc = -EIO;
		cERROR(1, ("bad word count %d", smb_buf->WordCount));
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
		cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
	cFYI(1, ("UID = %d ", ses->Suid));
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

	if (smb_buf->WordCount == 4) {
		__u16 blob_len;
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
		bcc_ptr += blob_len;
		if (blob_len > bytes_remaining) {
			cERROR(1, ("bad security blob length %d", blob_len));
			rc = -EINVAL;
			goto ssetup_exit;
		}
		bytes_remaining -= blob_len;
	}

	/* BB check if Unicode and decode strings */
	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
		rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
						   ses, nls_cp);
	else
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
					 ses, nls_cp);

ssetup_exit:
	kfree(str_area);
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
		cFYI(1, ("ssetup freeing small buf %p", iov[0].iov_base));
		cifs_small_buf_release(iov[0].iov_base);
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
		cifs_buf_release(iov[0].iov_base);

	return rc;
}
Commit	Line	Data
3979877e SF	1	/*
	2	* fs/cifs/sess.c
	3	*
	4	* SMB/CIFS session setup handling routines
	5	*
790fe579	6	* Copyright (c) International Business Machines Corp., 2006, 2007
3979877e SF	7	* Author(s): Steve French (sfrench@us.ibm.com)
	8	*
	9	* This library is free software; you can redistribute it and/or modify
	10	* it under the terms of the GNU Lesser General Public License as published
	11	* by the Free Software Foundation; either version 2.1 of the License, or
	12	* (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	17	* the GNU Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public License
	20	* along with this library; if not, write to the Free Software
	21	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	22	*/
	23
	24	#include "cifspdu.h"
	25	#include "cifsglob.h"
	26	#include "cifsproto.h"
	27	#include "cifs_unicode.h"
	28	#include "cifs_debug.h"
	29	#include "ntlmssp.h"
	30	#include "nterr.h"
9c53588e	31	#include <linux/utsname.h>
3979877e	32
3979877e	33	extern void SMBNTencrypt(unsigned char passwd, unsigned char c8,
790fe579	34	unsigned char *p24);
3979877e	35
3979877e SF	36	static __u32 cifs_ssetup_hdr(struct cifsSesInfo ses, SESSION_SETUP_ANDX pSMB)
	37	{
	38	__u32 capabilities = 0;
	39
	40	/* init fields common to all four types of SessSetup */
	41	/* note that header is initialized to zero in header_assemble */
	42	pSMB->req.AndXCommand = 0xFF;
	43	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	44	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
	45
	46	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
	47
790fe579	48	/* BB verify whether signing required on neg or just on auth frame
3979877e SF	49	(and NTLM case) */
	50
	51	capabilities = CAP_LARGE_FILES \| CAP_NT_SMBS \| CAP_LEVEL_II_OPLOCKS \|
	52	CAP_LARGE_WRITE_X \| CAP_LARGE_READ_X;
	53
790fe579 SF	54	if (ses->server->secMode &
790fe579 SF	55	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
3979877e SF	56	pSMB->req.hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
	57
	58	if (ses->capabilities & CAP_UNICODE) {
	59	pSMB->req.hdr.Flags2 \|= SMBFLG2_UNICODE;
	60	capabilities \|= CAP_UNICODE;
	61	}
	62	if (ses->capabilities & CAP_STATUS32) {
	63	pSMB->req.hdr.Flags2 \|= SMBFLG2_ERR_STATUS;
	64	capabilities \|= CAP_STATUS32;
	65	}
	66	if (ses->capabilities & CAP_DFS) {
	67	pSMB->req.hdr.Flags2 \|= SMBFLG2_DFS;
	68	capabilities \|= CAP_DFS;
	69	}
	70	if (ses->capabilities & CAP_UNIX) {
	71	capabilities \|= CAP_UNIX;
	72	}
	73
	74	/* BB check whether to init vcnum BB */
	75	return capabilities;
	76	}
	77
3870253e	78	static void unicode_ssetup_strings(char *pbcc_area, struct cifsSesInfo ses,
790fe579	79	const struct nls_table *nls_cp)
3979877e	80	{
790fe579	81	char bcc_ptr = pbcc_area;
3979877e SF	82	int bytes_ret = 0;
	83
	84	/* BB FIXME add check that strings total less
	85	than 335 or will need to send them as arrays */
	86
0223cf0b SF	87	/* unicode strings, must be word aligned before the call */
0223cf0b SF	88	/* if ((long) bcc_ptr % 2) {
3979877e SF	89	*bcc_ptr = 0;
3979877e SF	90	bcc_ptr++;
0223cf0b	91	} */
3979877e	92	/* copy user */
790fe579	93	if (ses->userName == NULL) {
6e659c63 SF	94	/* null user mount */
	95	*bcc_ptr = 0;
	96	*(bcc_ptr+1) = 0;
3979877e SF	97	} else { /* 300 should be long enough for any conceivable user name */
	98	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
	99	300, nls_cp);
	100	}
	101	bcc_ptr += 2 * bytes_ret;
	102	bcc_ptr += 2; /* account for null termination */
	103	/* copy domain */
790fe579	104	if (ses->domainName == NULL) {
6e659c63 SF	105	/* Sending null domain better than using a bogus domain name (as
	106	we did briefly in 2.6.18) since server will use its default */
	107	*bcc_ptr = 0;
	108	*(bcc_ptr+1) = 0;
	109	bytes_ret = 0;
	110	} else
3870253e	111	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
3979877e SF	112	256, nls_cp);
	113	bcc_ptr += 2 * bytes_ret;
	114	bcc_ptr += 2; /* account for null terminator */
	115
	116	/* Copy OS version */
	117	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
	118	nls_cp);
	119	bcc_ptr += 2 * bytes_ret;
96b644bd	120	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
3979877e SF	121	32, nls_cp);
	122	bcc_ptr += 2 * bytes_ret;
	123	bcc_ptr += 2; /* trailing null */
	124
	125	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
790fe579	126	32, nls_cp);
3979877e SF	127	bcc_ptr += 2 * bytes_ret;
	128	bcc_ptr += 2; /* trailing null */
	129
	130	*pbcc_area = bcc_ptr;
	131	}
	132
3870253e	133	static void ascii_ssetup_strings(char *pbcc_area, struct cifsSesInfo ses,
790fe579	134	const struct nls_table *nls_cp)
3979877e	135	{
790fe579	136	char bcc_ptr = pbcc_area;
3979877e SF	137
	138	/* copy user */
	139	/* BB what about null user mounts - check that we do this BB */
790fe579 SF	140	/* copy user */
	141	if (ses->userName == NULL) {
	142	/* BB what about null user mounts - check that we do this BB */
	143	} else { /* 300 should be long enough for any conceivable user name */
	144	strncpy(bcc_ptr, ses->userName, 300);
	145	}
3979877e	146	/* BB improve check for overflow */
790fe579	147	bcc_ptr += strnlen(ses->userName, 300);
3979877e	148	*bcc_ptr = 0;
790fe579	149	bcc_ptr++; /* account for null termination */
3979877e	150
790fe579 SF	151	/* copy domain */
	152
	153	if (ses->domainName != NULL) {
	154	strncpy(bcc_ptr, ses->domainName, 256);
3979877e	155	bcc_ptr += strnlen(ses->domainName, 256);
790fe579	156	} /* else we will send a null domain name
6e659c63	157	so the server will default to its own domain */
3979877e SF	158	*bcc_ptr = 0;
	159	bcc_ptr++;
	160
	161	/* BB check for overflow here */
	162
	163	strcpy(bcc_ptr, "Linux version ");
	164	bcc_ptr += strlen("Linux version ");
96b644bd SH	165	strcpy(bcc_ptr, init_utsname()->release);
96b644bd SH	166	bcc_ptr += strlen(init_utsname()->release) + 1;
3979877e SF	167
	168	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	169	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
	170
790fe579	171	*pbcc_area = bcc_ptr;
3979877e SF	172	}
3979877e SF	173
790fe579 SF	174	static int decode_unicode_ssetup(char **pbcc_area, int bleft,
	175	struct cifsSesInfo *ses,
	176	const struct nls_table *nls_cp)
3979877e SF	177	{
	178	int rc = 0;
	179	int words_left, len;
790fe579	180	char data = pbcc_area;
3979877e SF	181
	182
	183
790fe579	184	cFYI(1, ("bleft %d", bleft));
3979877e SF	185
3979877e SF	186
8e6f195a SF	187	/* SMB header is unaligned, so cifs servers word align start of
	188	Unicode strings */
	189	data++;
	190	bleft--; /* Windows servers do not always double null terminate
	191	their final Unicode string - in which case we
	192	now will not attempt to decode the byte of junk
	193	which follows it */
50c2f753	194
3979877e SF	195	words_left = bleft / 2;
	196
	197	/* save off server operating system */
	198	len = UniStrnlen((wchar_t *) data, words_left);
	199
	200	/* We look for obvious messed up bcc or strings in response so we do not go off
	201	the end since (at least) WIN2K and Windows XP have a major bug in not null
	202	terminating last Unicode string in response */
790fe579	203	if (len >= words_left)
3979877e SF	204	return rc;
3979877e SF	205
790fe579	206	if (ses->serverOS)
3979877e SF	207	kfree(ses->serverOS);
	208	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	209	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
790fe579	210	if (ses->serverOS != NULL) {
3979877e SF	211	cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
	212	nls_cp);
	213	}
	214	data += 2 * (len + 1);
	215	words_left -= len + 1;
	216
	217	/* save off server network operating system */
	218	len = UniStrnlen((wchar_t *) data, words_left);
	219
790fe579	220	if (len >= words_left)
3979877e SF	221	return rc;
3979877e SF	222
790fe579	223	if (ses->serverNOS)
3979877e SF	224	kfree(ses->serverNOS);
3979877e SF	225	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
790fe579	226	if (ses->serverNOS != NULL) {
3979877e SF	227	cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
3979877e SF	228	nls_cp);
790fe579 SF	229	if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
790fe579 SF	230	cFYI(1, ("NT4 server"));
3979877e SF	231	ses->flags \|= CIFS_SES_NT4;
	232	}
	233	}
	234	data += 2 * (len + 1);
	235	words_left -= len + 1;
	236
790fe579 SF	237	/* save off server domain */
	238	len = UniStrnlen((wchar_t *) data, words_left);
	239
	240	if (len > words_left)
	241	return rc;
	242
	243	if (ses->serverDomain)
	244	kfree(ses->serverDomain);
	245	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
	246	if (ses->serverDomain != NULL) {
	247	cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
	248	nls_cp);
	249	ses->serverDomain[2*len] = 0;
	250	ses->serverDomain[(2*len) + 1] = 0;
	251	}
	252	data += 2 * (len + 1);
	253	words_left -= len + 1;
	254
	255	cFYI(1, ("words left: %d", words_left));
3979877e SF	256
	257	return rc;
	258	}
	259
790fe579 SF	260	static int decode_ascii_ssetup(char **pbcc_area, int bleft,
	261	struct cifsSesInfo *ses,
	262	const struct nls_table *nls_cp)
3979877e SF	263	{
	264	int rc = 0;
	265	int len;
790fe579	266	char bcc_ptr = pbcc_area;
3979877e	267
790fe579	268	cFYI(1, ("decode sessetup ascii. bleft %d", bleft));
50c2f753	269
3979877e	270	len = strnlen(bcc_ptr, bleft);
790fe579	271	if (len >= bleft)
3979877e	272	return rc;
50c2f753	273
790fe579	274	if (ses->serverOS)
3979877e SF	275	kfree(ses->serverOS);
	276
	277	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
790fe579	278	if (ses->serverOS)
3979877e	279	strncpy(ses->serverOS, bcc_ptr, len);
790fe579 SF	280	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
790fe579 SF	281	cFYI(1, ("OS/2 server"));
9ac00b7d SF	282	ses->flags \|= CIFS_SES_OS2;
9ac00b7d SF	283	}
3979877e SF	284
	285	bcc_ptr += len + 1;
	286	bleft -= len + 1;
	287
	288	len = strnlen(bcc_ptr, bleft);
790fe579	289	if (len >= bleft)
3979877e SF	290	return rc;
3979877e SF	291
790fe579	292	if (ses->serverNOS)
3979877e SF	293	kfree(ses->serverNOS);
	294
	295	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
790fe579	296	if (ses->serverNOS)
3979877e SF	297	strncpy(ses->serverNOS, bcc_ptr, len);
	298
	299	bcc_ptr += len + 1;
	300	bleft -= len + 1;
	301
790fe579 SF	302	len = strnlen(bcc_ptr, bleft);
	303	if (len > bleft)
	304	return rc;
3979877e	305
9ac00b7d SF	306	/* No domain field in LANMAN case. Domain is
	307	returned by old servers in the SMB negprot response */
	308	/* BB For newer servers which do not support Unicode,
	309	but thus do return domain here we could add parsing
	310	for it later, but it is not very important */
790fe579	311	cFYI(1, ("ascii: bytes left %d", bleft));
3979877e SF	312
	313	return rc;
	314	}
	315
790fe579	316	int
3979877e SF	317	CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
	318	const struct nls_table *nls_cp)
	319	{
	320	int rc = 0;
	321	int wct;
3979877e SF	322	struct smb_hdr *smb_buf;
3979877e SF	323	char *bcc_ptr;
750d1151	324	char *str_area;
3979877e SF	325	SESSION_SETUP_ANDX *pSMB;
	326	__u32 capabilities;
	327	int count;
	328	int resp_buf_type = 0;
750d1151	329	struct kvec iov[2];
3979877e SF	330	enum securityEnum type;
	331	__u16 action;
	332	int bytes_remaining;
254e55ed	333
790fe579	334	if (ses == NULL)
3979877e SF	335	return -EINVAL;
	336
	337	type = ses->server->secType;
f40c5628	338
790fe579 SF	339	cFYI(1, ("sess setup type %d", type));
790fe579 SF	340	if (type == LANMAN) {
3979877e SF	341	#ifndef CONFIG_CIFS_WEAK_PW_HASH
	342	/* LANMAN and plaintext are less secure and off by default.
	343	So we make this explicitly be turned on in kconfig (in the
	344	build) and turned on at runtime (changed from the default)
	345	in proc/fs/cifs or via mount parm. Unfortunately this is
	346	needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
	347	return -EOPNOTSUPP;
	348	#endif
	349	wct = 10; /* lanman 2 style sessionsetup */
790fe579	350	} else if ((type == NTLM) \|\| (type == NTLMv2)) {
9312f675	351	/* For NTLMv2 failures eventually may need to retry NTLM */
3979877e	352	wct = 13; /* old style NTLM sessionsetup */
790fe579	353	} else /* same size: negotiate or auth, NTLMSSP or extended security */
3979877e SF	354	wct = 12;
	355
	356	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
	357	(void **)&smb_buf);
790fe579	358	if (rc)
3979877e SF	359	return rc;
	360
	361	pSMB = (SESSION_SETUP_ANDX *)smb_buf;
	362
	363	capabilities = cifs_ssetup_hdr(ses, pSMB);
750d1151 SF	364
	365	/* we will send the SMB in two pieces,
	366	a fixed length beginning part, and a
	367	second part which will include the strings
	368	and rest of bcc area, in order to avoid having
	369	to do a large buffer 17K allocation */
790fe579 SF	370	iov[0].iov_base = (char *)pSMB;
790fe579 SF	371	iov[0].iov_len = smb_buf->smb_buf_length + 4;
750d1151 SF	372
	373	/* 2000 big enough to fit max user, domain, NOS name etc. */
	374	str_area = kmalloc(2000, GFP_KERNEL);
5e6e6232 CG	375	if (str_area == NULL) {
	376	cifs_small_buf_release(smb_buf);
	377	return -ENOMEM;
	378	}
750d1151	379	bcc_ptr = str_area;
3979877e	380
9ac00b7d SF	381	ses->flags &= ~CIFS_SES_LANMAN;
9ac00b7d SF	382
790fe579	383	if (type == LANMAN) {
3979877e	384	#ifdef CONFIG_CIFS_WEAK_PW_HASH
7c7b25bc	385	char lnm_session_key[CIFS_SESS_KEY_SIZE];
3979877e SF	386
	387	/* no capabilities flags in old lanman negotiation */
	388
790fe579	389	pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e SF	390	/* BB calculate hash with password */
	391	/* and copy into bcc */
	392
7c7b25bc	393	calc_lanman_hash(ses, lnm_session_key);
790fe579	394	ses->flags \|= CIFS_SES_LANMAN;
750d1151	395	/* #ifdef CONFIG_CIFS_DEBUG2
3979877e	396	cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
7c7b25bc	397	CIFS_SESS_KEY_SIZE);
750d1151	398	#endif */
7c7b25bc SF	399	memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc SF	400	bcc_ptr += CIFS_SESS_KEY_SIZE;
3979877e SF	401
	402	/* can not sign if LANMAN negotiated so no need
	403	to calculate signing key? but what if server
	404	changed to do higher than lanman dialect and
	405	we reconnected would we ever calc signing_key? */
	406
790fe579	407	cFYI(1, ("Negotiating LANMAN setting up strings"));
3979877e SF	408	/* Unicode not allowed for LANMAN dialects */
3979877e SF	409	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
790fe579	410	#endif
3979877e	411	} else if (type == NTLM) {
7c7b25bc	412	char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3979877e SF	413
	414	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
	415	pSMB->req_no_secext.CaseInsensitivePasswordLength =
7c7b25bc	416	cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e	417	pSMB->req_no_secext.CaseSensitivePasswordLength =
7c7b25bc	418	cpu_to_le16(CIFS_SESS_KEY_SIZE);
50c2f753	419
3979877e SF	420	/* calculate session key */
	421	SMBNTencrypt(ses->password, ses->server->cryptKey,
	422	ntlm_session_key);
	423
790fe579	424	if (first_time) /* should this be moved into common code
3979877e	425	with similar ntlmv2 path? */
b609f06a	426	cifs_calculate_mac_key(&ses->server->mac_signing_key,
3979877e SF	427	ntlm_session_key, ses->password);
	428	/* copy session key */
	429
790fe579	430	memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc	431	bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579	432	memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc	433	bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579	434	if (ses->capabilities & CAP_UNICODE) {
0223cf0b SF	435	/* unicode strings must be word aligned */
	436	if (iov[0].iov_len % 2) {
	437	*bcc_ptr = 0;
790fe579 SF	438	bcc_ptr++;
790fe579 SF	439	}
7c7b25bc	440	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b	441	} else
7c7b25bc SF	442	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
7c7b25bc SF	443	} else if (type == NTLMv2) {
790fe579	444	char *v2_sess_key =
6d027cfd	445	kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
f64b23ae SF	446
	447	/* BB FIXME change all users of v2_sess_key to
	448	struct ntlmv2_resp */
7c7b25bc	449
790fe579	450	if (v2_sess_key == NULL) {
7c7b25bc SF	451	cifs_small_buf_release(smb_buf);
	452	return -ENOMEM;
	453	}
	454
	455	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
	456
	457	/* LM2 password would be here if we supported it */
	458	pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
	459	/* cpu_to_le16(LM2_SESS_KEY_SIZE); */
	460
	461	pSMB->req_no_secext.CaseSensitivePasswordLength =
f64b23ae	462	cpu_to_le16(sizeof(struct ntlmv2_resp));
7c7b25bc SF	463
7c7b25bc SF	464	/* calculate session key */
1717ffc5	465	setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
790fe579 SF	466	if (first_time) /* should this be moved into common code
790fe579 SF	467	with similar ntlmv2 path? */
7c7b25bc SF	468	/* cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
	469	response BB FIXME, v2_sess_key); */
	470
	471	/* copy session key */
	472
	473	/* memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
	474	bcc_ptr += LM2_SESS_KEY_SIZE; */
3870253e SF	475	memcpy(bcc_ptr, (char *)v2_sess_key,
3870253e SF	476	sizeof(struct ntlmv2_resp));
f64b23ae SF	477	bcc_ptr += sizeof(struct ntlmv2_resp);
f64b23ae SF	478	kfree(v2_sess_key);
790fe579 SF	479	if (ses->capabilities & CAP_UNICODE) {
790fe579 SF	480	if (iov[0].iov_len % 2) {
0223cf0b SF	481	*bcc_ptr = 0;
0223cf0b SF	482	} bcc_ptr++;
3979877e	483	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b	484	} else
3979877e SF	485	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	486	} else /* NTLMSSP or SPNEGO */ {
	487	pSMB->req.hdr.Flags2 \|= SMBFLG2_EXT_SEC;
	488	capabilities \|= CAP_EXTENDED_SECURITY;
	489	pSMB->req.Capabilities = cpu_to_le32(capabilities);
	490	/* BB set password lengths */
	491	}
	492
750d1151	493	count = (long) bcc_ptr - (long) str_area;
3979877e SF	494	smb_buf->smb_buf_length += count;
3979877e SF	495
3979877e SF	496	BCC_LE(smb_buf) = cpu_to_le16(count);
3979877e SF	497
750d1151	498	iov[1].iov_base = str_area;
790fe579	499	iov[1].iov_len = count;
750d1151	500	rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
3979877e SF	501	/* SMB request buf freed in SendReceive2 */
3979877e SF	502
790fe579 SF	503	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
790fe579 SF	504	if (rc)
3979877e SF	505	goto ssetup_exit;
	506
	507	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	508	smb_buf = (struct smb_hdr *)iov[0].iov_base;
	509
790fe579	510	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
3979877e	511	rc = -EIO;
790fe579	512	cERROR(1, ("bad word count %d", smb_buf->WordCount));
3979877e SF	513	goto ssetup_exit;
	514	}
	515	action = le16_to_cpu(pSMB->resp.Action);
	516	if (action & GUEST_LOGIN)
189acaae	517	cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
3979877e SF	518	ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
	519	cFYI(1, ("UID = %d ", ses->Suid));
	520	/* response can have either 3 or 4 word count - Samba sends 3 */
	521	/* and lanman response is 3 */
	522	bytes_remaining = BCC(smb_buf);
	523	bcc_ptr = pByteArea(smb_buf);
	524
790fe579	525	if (smb_buf->WordCount == 4) {
3979877e SF	526	__u16 blob_len;
	527	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
	528	bcc_ptr += blob_len;
790fe579 SF	529	if (blob_len > bytes_remaining) {
790fe579 SF	530	cERROR(1, ("bad security blob length %d", blob_len));
3979877e SF	531	rc = -EINVAL;
	532	goto ssetup_exit;
	533	}
	534	bytes_remaining -= blob_len;
790fe579	535	}
3979877e SF	536
3979877e SF	537	/* BB check if Unicode and decode strings */
790fe579	538	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
3979877e SF	539	rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
	540	ses, nls_cp);
	541	else
63135e08 SF	542	rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
63135e08 SF	543	ses, nls_cp);
50c2f753	544
3979877e	545	ssetup_exit:
750d1151	546	kfree(str_area);
790fe579 SF	547	if (resp_buf_type == CIFS_SMALL_BUFFER) {
790fe579 SF	548	cFYI(1, ("ssetup freeing small buf %p", iov[0].iov_base));
3979877e	549	cifs_small_buf_release(iov[0].iov_base);
790fe579	550	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
3979877e SF	551	cifs_buf_release(iov[0].iov_base);
	552
	553	return rc;
	554	}