projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
cifs: cifs_convert_address() returns zero on error
[deliverable/linux.git] / fs / cifs / sess.c
CommitLineData
3979877e
SF		 1/*
2 * fs/cifs/sess.c
3 *
4 * SMB/CIFS session setup handling routines
5 *
d185cda7 6 * Copyright (c) International Business Machines Corp., 2006, 2009
3979877e
SF		 7 * Author(s): Steve French (sfrench@us.ibm.com)
8 *
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24#include "cifspdu.h"
25#include "cifsglob.h"
26#include "cifsproto.h"
27#include "cifs_unicode.h"
28#include "cifs_debug.h"
29#include "ntlmssp.h"
30#include "nterr.h"
9c53588e 31#include <linux/utsname.h>
5a0e3ad6 32#include <linux/slab.h>
2442421b 33#include "cifs_spnego.h"
3979877e 34
ebe6aa5a
JL		 35/*
36 * Checks if this is the first smb session to be reconnected after
37 * the socket has been reestablished (so we know whether to use vc 0).
38 * Called while holding the cifs_tcp_ses_lock, so do not block
39 */
eca6acf9
SF		 40static bool is_first_ses_reconnect(struct cifsSesInfo *ses)
41{
42 struct list_head *tmp;
43 struct cifsSesInfo *tmp_ses;
44
45 list_for_each(tmp, &ses->server->smb_ses_list) {
46 tmp_ses = list_entry(tmp, struct cifsSesInfo,
47 smb_ses_list);
48 if (tmp_ses->need_reconnect == false)
49 return false;
50 }
51 /* could not find a session that was already connected,
52 this must be the first one we are reconnecting */
53 return true;
54}
55
56/*
57 * vc number 0 is treated specially by some servers, and should be the
58 * first one we request. After that we can use vcnumbers up to maxvcs,
59 * one for each smb session (some Windows versions set maxvcs incorrectly
60 * so maxvc=1 can be ignored). If we have too many vcs, we can reuse
61 * any vc but zero (some servers reset the connection on vcnum zero)
62 *
63 */
64static __le16 get_next_vcnum(struct cifsSesInfo *ses)
65{
66 __u16 vcnum = 0;
67 struct list_head *tmp;
68 struct cifsSesInfo *tmp_ses;
69 __u16 max_vcs = ses->server->max_vcs;
70 __u16 i;
71 int free_vc_found = 0;
72
73 /* Quoting the MS-SMB specification: "Windows-based SMB servers set this
74 field to one but do not enforce this limit, which allows an SMB client
75 to establish more virtual circuits than allowed by this value ... but
76 other server implementations can enforce this limit." */
77 if (max_vcs < 2)
78 max_vcs = 0xFFFF;
79
3f9bcca7 80 spin_lock(&cifs_tcp_ses_lock);
eca6acf9
SF		 81 if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
82 goto get_vc_num_exit; /* vcnum will be zero */
83 for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
84 if (i == 0) /* this is the only connection, use vc 0 */
85 break;
86
87 free_vc_found = 1;
88
89 list_for_each(tmp, &ses->server->smb_ses_list) {
90 tmp_ses = list_entry(tmp, struct cifsSesInfo,
91 smb_ses_list);
92 if (tmp_ses->vcnum == i) {
93 free_vc_found = 0;
94 break; /* found duplicate, try next vcnum */
95 }
96 }
97 if (free_vc_found)
98 break; /* we found a vcnumber that will work - use it */
99 }
100
101 if (i == 0)
102 vcnum = 0; /* for most common case, ie if one smb session, use
103 vc zero. Also for case when no free vcnum, zero
104 is safest to send (some clients only send zero) */
105 else if (free_vc_found == 0)
106 vcnum = 1; /* we can not reuse vc=0 safely, since some servers
107 reset all uids on that, but 1 is ok. */
108 else
109 vcnum = i;
110 ses->vcnum = vcnum;
111get_vc_num_exit:
3f9bcca7 112 spin_unlock(&cifs_tcp_ses_lock);
eca6acf9 113
051a2a0d 114 return cpu_to_le16(vcnum);
eca6acf9
SF		 115}
116
3979877e
SF		 117static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
118{
119 __u32 capabilities = 0;
120
121 /* init fields common to all four types of SessSetup */
eca6acf9
SF		 122 /* Note that offsets for first seven fields in req struct are same */
123 /* in CIFS Specs so does not matter which of 3 forms of struct */
124 /* that we use in next few lines */
125 /* Note that header is initialized to zero in header_assemble */
3979877e
SF		 126 pSMB->req.AndXCommand = 0xFF;
127 pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
128 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
eca6acf9 129 pSMB->req.VcNumber = get_next_vcnum(ses);
3979877e
SF		 130
131 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
132
790fe579 133 /* BB verify whether signing required on neg or just on auth frame
3979877e
SF		 134 (and NTLM case) */
135
136 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
137 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
138
790fe579
SF		 139 if (ses->server->secMode &
140 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
3979877e
SF		 141 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
142
143 if (ses->capabilities & CAP_UNICODE) {
144 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
145 capabilities |= CAP_UNICODE;
146 }
147 if (ses->capabilities & CAP_STATUS32) {
148 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
149 capabilities |= CAP_STATUS32;
150 }
151 if (ses->capabilities & CAP_DFS) {
152 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
153 capabilities |= CAP_DFS;
154 }
26f57364 155 if (ses->capabilities & CAP_UNIX)
3979877e 156 capabilities |= CAP_UNIX;
3979877e 157
3979877e
SF		 158 return capabilities;
159}
160
0d3a01fa
JL		 161static void
162unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
163{
164 char *bcc_ptr = *pbcc_area;
165 int bytes_ret = 0;
166
167 /* Copy OS version */
168 bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
169 nls_cp);
170 bcc_ptr += 2 * bytes_ret;
171 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
172 32, nls_cp);
173 bcc_ptr += 2 * bytes_ret;
174 bcc_ptr += 2; /* trailing null */
175
176 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
177 32, nls_cp);
178 bcc_ptr += 2 * bytes_ret;
179 bcc_ptr += 2; /* trailing null */
180
181 *pbcc_area = bcc_ptr;
182}
183
184static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
185 const struct nls_table *nls_cp)
186{
187 char *bcc_ptr = *pbcc_area;
188 int bytes_ret = 0;
189
190 /* copy domain */
191 if (ses->domainName == NULL) {
192 /* Sending null domain better than using a bogus domain name (as
193 we did briefly in 2.6.18) since server will use its default */
194 *bcc_ptr = 0;
195 *(bcc_ptr+1) = 0;
196 bytes_ret = 0;
197 } else
198 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
199 256, nls_cp);
200 bcc_ptr += 2 * bytes_ret;
201 bcc_ptr += 2; /* account for null terminator */
202
203 *pbcc_area = bcc_ptr;
204}
205
206
3870253e 207static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
790fe579 208 const struct nls_table *nls_cp)
3979877e 209{
790fe579 210 char *bcc_ptr = *pbcc_area;
3979877e
SF		 211 int bytes_ret = 0;
212
213 /* BB FIXME add check that strings total less
214 than 335 or will need to send them as arrays */
215
0223cf0b
SF		 216 /* unicode strings, must be word aligned before the call */
217/* if ((long) bcc_ptr % 2) {
3979877e
SF		 218 *bcc_ptr = 0;
219 bcc_ptr++;
0223cf0b 220 } */
3979877e 221 /* copy user */
790fe579 222 if (ses->userName == NULL) {
6e659c63
SF		 223 /* null user mount */
224 *bcc_ptr = 0;
225 *(bcc_ptr+1) = 0;
301a6a31 226 } else {
3979877e 227 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
301a6a31 228 MAX_USERNAME_SIZE, nls_cp);
3979877e
SF		 229 }
230 bcc_ptr += 2 * bytes_ret;
231 bcc_ptr += 2; /* account for null termination */
3979877e 232
0d3a01fa
JL		 233 unicode_domain_string(&bcc_ptr, ses, nls_cp);
234 unicode_oslm_strings(&bcc_ptr, nls_cp);
3979877e
SF		 235
236 *pbcc_area = bcc_ptr;
237}
238
3870253e 239static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
790fe579 240 const struct nls_table *nls_cp)
3979877e 241{
790fe579 242 char *bcc_ptr = *pbcc_area;
3979877e
SF		 243
244 /* copy user */
245 /* BB what about null user mounts - check that we do this BB */
790fe579
SF		 246 /* copy user */
247 if (ses->userName == NULL) {
248 /* BB what about null user mounts - check that we do this BB */
301a6a31
SF		 249 } else {
250 strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
790fe579 251 }
301a6a31 252 bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
3979877e 253 *bcc_ptr = 0;
790fe579 254 bcc_ptr++; /* account for null termination */
3979877e 255
790fe579
SF		 256 /* copy domain */
257
258 if (ses->domainName != NULL) {
259 strncpy(bcc_ptr, ses->domainName, 256);
3979877e 260 bcc_ptr += strnlen(ses->domainName, 256);
790fe579 261 } /* else we will send a null domain name
6e659c63 262 so the server will default to its own domain */
3979877e
SF		 263 *bcc_ptr = 0;
264 bcc_ptr++;
265
266 /* BB check for overflow here */
267
268 strcpy(bcc_ptr, "Linux version ");
269 bcc_ptr += strlen("Linux version ");
96b644bd
SH		 270 strcpy(bcc_ptr, init_utsname()->release);
271 bcc_ptr += strlen(init_utsname()->release) + 1;
3979877e
SF		 272
273 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
274 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
275
790fe579 276 *pbcc_area = bcc_ptr;
3979877e
SF		 277}
278
59140797
JL		 279static void
280decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
281 const struct nls_table *nls_cp)
3979877e 282{
59140797 283 int len;
790fe579 284 char *data = *pbcc_area;
3979877e 285
b6b38f70 286 cFYI(1, "bleft %d", bleft);
3979877e 287
27b87fe5
JL		 288 /*
289 * Windows servers do not always double null terminate their final
290 * Unicode string. Check to see if there are an uneven number of bytes
291 * left. If so, then add an extra NULL pad byte to the end of the
292 * response.
293 *
294 * See section 2.7.2 in "Implementing CIFS" for details
295 */
296 if (bleft % 2) {
297 data[bleft] = 0;
298 ++bleft;
299 }
50c2f753 300
26f57364 301 kfree(ses->serverOS);
d185cda7 302 ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 303 cFYI(1, "serverOS=%s", ses->serverOS);
59140797
JL		 304 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
305 data += len;
306 bleft -= len;
307 if (bleft <= 0)
308 return;
3979877e 309
26f57364 310 kfree(ses->serverNOS);
d185cda7 311 ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 312 cFYI(1, "serverNOS=%s", ses->serverNOS);
59140797
JL		 313 len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
314 data += len;
315 bleft -= len;
316 if (bleft <= 0)
317 return;
790fe579 318
26f57364 319 kfree(ses->serverDomain);
d185cda7 320 ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
b6b38f70 321 cFYI(1, "serverDomain=%s", ses->serverDomain);
790fe579 322
59140797 323 return;
3979877e
SF		 324}
325
790fe579
SF		 326static int decode_ascii_ssetup(char **pbcc_area, int bleft,
327 struct cifsSesInfo *ses,
328 const struct nls_table *nls_cp)
3979877e
SF		 329{
330 int rc = 0;
331 int len;
790fe579 332 char *bcc_ptr = *pbcc_area;
3979877e 333
b6b38f70 334 cFYI(1, "decode sessetup ascii. bleft %d", bleft);
50c2f753 335
3979877e 336 len = strnlen(bcc_ptr, bleft);
790fe579 337 if (len >= bleft)
3979877e 338 return rc;
50c2f753 339
26f57364 340 kfree(ses->serverOS);
3979877e
SF		 341
342 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
790fe579 343 if (ses->serverOS)
3979877e 344 strncpy(ses->serverOS, bcc_ptr, len);
790fe579 345 if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
b6b38f70 346 cFYI(1, "OS/2 server");
9ac00b7d
SF		 347 ses->flags |= CIFS_SES_OS2;
348 }
3979877e
SF		 349
350 bcc_ptr += len + 1;
351 bleft -= len + 1;
352
353 len = strnlen(bcc_ptr, bleft);
790fe579 354 if (len >= bleft)
3979877e
SF		 355 return rc;
356
26f57364 357 kfree(ses->serverNOS);
3979877e
SF		 358
359 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
790fe579 360 if (ses->serverNOS)
3979877e
SF		 361 strncpy(ses->serverNOS, bcc_ptr, len);
362
363 bcc_ptr += len + 1;
364 bleft -= len + 1;
365
790fe579
SF		 366 len = strnlen(bcc_ptr, bleft);
367 if (len > bleft)
368 return rc;
3979877e 369
9ac00b7d
SF		 370 /* No domain field in LANMAN case. Domain is
371 returned by old servers in the SMB negprot response */
372 /* BB For newer servers which do not support Unicode,
373 but thus do return domain here we could add parsing
374 for it later, but it is not very important */
b6b38f70 375 cFYI(1, "ascii: bytes left %d", bleft);
3979877e
SF		 376
377 return rc;
378}
379
0b3cc858
SF		 380static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
381 struct cifsSesInfo *ses)
382{
2b149f11
SP		 383 unsigned int tioffset; /* challenge message target info area */
384 unsigned int tilen; /* challenge message target info area length */
385
0b3cc858
SF		 386 CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
387
388 if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
b6b38f70 389 cERROR(1, "challenge blob len %d too small", blob_len);
0b3cc858
SF		 390 return -EINVAL;
391 }
392
393 if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
b6b38f70 394 cERROR(1, "blob signature incorrect %s", pblob->Signature);
0b3cc858
SF		 395 return -EINVAL;
396 }
397 if (pblob->MessageType != NtLmChallenge) {
b6b38f70 398 cERROR(1, "Incorrect message type %d", pblob->MessageType);
0b3cc858
SF		 399 return -EINVAL;
400 }
401
5d0d2882 402 memcpy(ses->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
0b3cc858
SF		 403 /* BB we could decode pblob->NegotiateFlags; some may be useful */
404 /* In particular we can examine sign flags */
405 /* BB spec says that if AvId field of MsvAvTimestamp is populated then
406 we must set the MIC field of the AUTHENTICATE_MESSAGE */
407
2b149f11
SP		 408 tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
409 tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
410 ses->tilen = tilen;
411 if (ses->tilen) {
412 ses->tiblob = kmalloc(tilen, GFP_KERNEL);
413 if (!ses->tiblob) {
414 cERROR(1, "Challenge target info allocation failure");
415 ses->tilen = 0;
416 return -ENOMEM;
417 }
418 memcpy(ses->tiblob, bcc_ptr + tioffset, ses->tilen);
419 }
420
0b3cc858
SF		 421 return 0;
422}
423
424#ifdef CONFIG_CIFS_EXPERIMENTAL
425/* BB Move to ntlmssp.c eventually */
426
427/* We do not malloc the blob, it is passed in pbuffer, because
428 it is fixed size, and small, making this approach cleaner */
429static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
430 struct cifsSesInfo *ses)
431{
432 NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
433 __u32 flags;
434
435 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
436 sec_blob->MessageType = NtLmNegotiate;
437
438 /* BB is NTLMV2 session security format easier to use here? */
439 flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
440 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
2b149f11 441 NTLMSSP_NEGOTIATE_NTLM;
0b3cc858 442 if (ses->server->secMode &
745e507a
SF		 443 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
444 flags |= NTLMSSP_NEGOTIATE_SIGN;
445 if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
446 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
0b3cc858
SF		 447
448 sec_blob->NegotiateFlags |= cpu_to_le32(flags);
449
450 sec_blob->WorkstationName.BufferOffset = 0;
451 sec_blob->WorkstationName.Length = 0;
452 sec_blob->WorkstationName.MaximumLength = 0;
453
454 /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
455 sec_blob->DomainName.BufferOffset = 0;
456 sec_blob->DomainName.Length = 0;
457 sec_blob->DomainName.MaximumLength = 0;
458}
459
460/* We do not malloc the blob, it is passed in pbuffer, because its
461 maximum possible size is fixed and small, making this approach cleaner.
462 This function returns the length of the data in the blob */
463static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
89f150f4 464 u16 *buflen,
0b3cc858 465 struct cifsSesInfo *ses,
2b149f11 466 const struct nls_table *nls_cp)
0b3cc858 467{
2b149f11 468 int rc;
0b3cc858
SF		 469 AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
470 __u32 flags;
471 unsigned char *tmp;
0b3cc858
SF		 472
473 memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
474 sec_blob->MessageType = NtLmAuthenticate;
475
476 flags = NTLMSSP_NEGOTIATE_56 |
477 NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
478 NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
2b149f11 479 NTLMSSP_NEGOTIATE_NTLM;
0b3cc858
SF		 480 if (ses->server->secMode &
481 (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
482 flags |= NTLMSSP_NEGOTIATE_SIGN;
483 if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
484 flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
485
486 tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
487 sec_blob->NegotiateFlags |= cpu_to_le32(flags);
488
489 sec_blob->LmChallengeResponse.BufferOffset =
490 cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
491 sec_blob->LmChallengeResponse.Length = 0;
492 sec_blob->LmChallengeResponse.MaximumLength = 0;
493
c8e56f1f 494 sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
21e73393 495 rc = setup_ntlmv2_rsp(ses, nls_cp);
2b149f11
SP		 496 if (rc) {
497 cERROR(1, "Error %d during NTLMSSP authentication", rc);
498 goto setup_ntlmv2_ret;
499 }
21e73393
SP		 500 memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
501 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
502 tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
c8e56f1f 503
21e73393
SP		 504 sec_blob->NtChallengeResponse.Length =
505 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
2b149f11 506 sec_blob->NtChallengeResponse.MaximumLength =
21e73393 507 cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
0b3cc858
SF		 508
509 if (ses->domainName == NULL) {
510 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
511 sec_blob->DomainName.Length = 0;
512 sec_blob->DomainName.MaximumLength = 0;
513 tmp += 2;
514 } else {
515 int len;
516 len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
517 MAX_USERNAME_SIZE, nls_cp);
518 len *= 2; /* unicode is 2 bytes each */
0b3cc858
SF		 519 sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
520 sec_blob->DomainName.Length = cpu_to_le16(len);
521 sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
522 tmp += len;
523 }
524
525 if (ses->userName == NULL) {
526 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
527 sec_blob->UserName.Length = 0;
528 sec_blob->UserName.MaximumLength = 0;
529 tmp += 2;
530 } else {
531 int len;
532 len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
533 MAX_USERNAME_SIZE, nls_cp);
534 len *= 2; /* unicode is 2 bytes each */
0b3cc858
SF		 535 sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
536 sec_blob->UserName.Length = cpu_to_le16(len);
537 sec_blob->UserName.MaximumLength = cpu_to_le16(len);
538 tmp += len;
539 }
540
541 sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
542 sec_blob->WorkstationName.Length = 0;
543 sec_blob->WorkstationName.MaximumLength = 0;
544 tmp += 2;
545
c8e56f1f
SF		 546 sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
547 sec_blob->SessionKey.Length = 0;
548 sec_blob->SessionKey.MaximumLength = 0;
2b149f11
SP		 549
550setup_ntlmv2_ret:
89f150f4
SP		 551 *buflen = tmp - pbuffer;
552 return rc;
0b3cc858
SF		 553}
554
555
556static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
557 struct cifsSesInfo *ses)
558{
559 build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
560 pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
561
562 return;
563}
0b3cc858
SF		 564#endif
565
790fe579 566int
ebe6aa5a
JL		 567CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
568 const struct nls_table *nls_cp)
3979877e
SF		 569{
570 int rc = 0;
571 int wct;
3979877e
SF		 572 struct smb_hdr *smb_buf;
573 char *bcc_ptr;
750d1151 574 char *str_area;
3979877e
SF		 575 SESSION_SETUP_ANDX *pSMB;
576 __u32 capabilities;
577 int count;
2442421b
SF		 578 int resp_buf_type;
579 struct kvec iov[3];
3979877e
SF		 580 enum securityEnum type;
581 __u16 action;
582 int bytes_remaining;
2442421b 583 struct key *spnego_key = NULL;
0b3cc858 584 __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
89f150f4 585 u16 blob_len;
2b149f11 586 char *ntlmsspblob = NULL;
254e55ed 587
790fe579 588 if (ses == NULL)
3979877e
SF		 589 return -EINVAL;
590
591 type = ses->server->secType;
f40c5628 592
b6b38f70 593 cFYI(1, "sess setup type %d", type);
0b3cc858
SF		 594ssetup_ntlmssp_authenticate:
595 if (phase == NtLmChallenge)
596 phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
597
790fe579 598 if (type == LANMAN) {
3979877e
SF		 599#ifndef CONFIG_CIFS_WEAK_PW_HASH
600 /* LANMAN and plaintext are less secure and off by default.
601 So we make this explicitly be turned on in kconfig (in the
602 build) and turned on at runtime (changed from the default)
603 in proc/fs/cifs or via mount parm. Unfortunately this is
604 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
605 return -EOPNOTSUPP;
606#endif
607 wct = 10; /* lanman 2 style sessionsetup */
790fe579 608 } else if ((type == NTLM) || (type == NTLMv2)) {
9312f675 609 /* For NTLMv2 failures eventually may need to retry NTLM */
3979877e 610 wct = 13; /* old style NTLM sessionsetup */
790fe579 611 } else /* same size: negotiate or auth, NTLMSSP or extended security */
3979877e
SF		 612 wct = 12;
613
614 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
615 (void **)&smb_buf);
790fe579 616 if (rc)
3979877e
SF		 617 return rc;
618
619 pSMB = (SESSION_SETUP_ANDX *)smb_buf;
620
621 capabilities = cifs_ssetup_hdr(ses, pSMB);
750d1151 622
2442421b
SF		 623 /* we will send the SMB in three pieces:
624 a fixed length beginning part, an optional
625 SPNEGO blob (which can be zero length), and a
626 last part which will include the strings
627 and rest of bcc area. This allows us to avoid
628 a large buffer 17K allocation */
790fe579
SF		 629 iov[0].iov_base = (char *)pSMB;
630 iov[0].iov_len = smb_buf->smb_buf_length + 4;
750d1151 631
2442421b
SF		 632 /* setting this here allows the code at the end of the function
633 to free the request buffer if there's an error */
634 resp_buf_type = CIFS_SMALL_BUFFER;
635
750d1151
SF		 636 /* 2000 big enough to fit max user, domain, NOS name etc. */
637 str_area = kmalloc(2000, GFP_KERNEL);
5e6e6232 638 if (str_area == NULL) {
2442421b
SF		 639 rc = -ENOMEM;
640 goto ssetup_exit;
5e6e6232 641 }
750d1151 642 bcc_ptr = str_area;
3979877e 643
9ac00b7d
SF		 644 ses->flags &= ~CIFS_SES_LANMAN;
645
2442421b
SF		 646 iov[1].iov_base = NULL;
647 iov[1].iov_len = 0;
648
790fe579 649 if (type == LANMAN) {
3979877e 650#ifdef CONFIG_CIFS_WEAK_PW_HASH
7c7b25bc 651 char lnm_session_key[CIFS_SESS_KEY_SIZE];
3979877e 652
c76da9da
SF		 653 pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
654
3979877e
SF		 655 /* no capabilities flags in old lanman negotiation */
656
790fe579 657 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e
SF		 658 /* BB calculate hash with password */
659 /* and copy into bcc */
660
5d0d2882 661 calc_lanman_hash(ses->password, ses->cryptKey,
4e53a3fb
JL		 662 ses->server->secMode & SECMODE_PW_ENCRYPT ?
663 true : false, lnm_session_key);
664
790fe579 665 ses->flags |= CIFS_SES_LANMAN;
7c7b25bc
SF		 666 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
667 bcc_ptr += CIFS_SESS_KEY_SIZE;
3979877e
SF		 668
669 /* can not sign if LANMAN negotiated so no need
670 to calculate signing key? but what if server
671 changed to do higher than lanman dialect and
672 we reconnected would we ever calc signing_key? */
673
b6b38f70 674 cFYI(1, "Negotiating LANMAN setting up strings");
3979877e
SF		 675 /* Unicode not allowed for LANMAN dialects */
676 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
790fe579 677#endif
3979877e 678 } else if (type == NTLM) {
3979877e
SF		 679 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
680 pSMB->req_no_secext.CaseInsensitivePasswordLength =
21e73393 681 cpu_to_le16(CIFS_AUTH_RESP_SIZE);
3979877e 682 pSMB->req_no_secext.CaseSensitivePasswordLength =
21e73393
SP		 683 cpu_to_le16(CIFS_AUTH_RESP_SIZE);
684
685 /* calculate ntlm response and session key */
686 rc = setup_ntlm_response(ses);
687 if (rc) {
688 cERROR(1, "Error %d during NTLM authentication", rc);
689 goto ssetup_exit;
690 }
50c2f753 691
21e73393
SP		 692 /* copy ntlm response */
693 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
694 CIFS_AUTH_RESP_SIZE);
695 bcc_ptr += CIFS_AUTH_RESP_SIZE;
696 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
697 CIFS_AUTH_RESP_SIZE);
698 bcc_ptr += CIFS_AUTH_RESP_SIZE;
3979877e 699
790fe579 700 if (ses->capabilities & CAP_UNICODE) {
0223cf0b
SF		 701 /* unicode strings must be word aligned */
702 if (iov[0].iov_len % 2) {
703 *bcc_ptr = 0;
790fe579
SF		 704 bcc_ptr++;
705 }
7c7b25bc 706 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b 707 } else
7c7b25bc
SF		 708 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
709 } else if (type == NTLMv2) {
7c7b25bc
SF		 710 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
711
712 /* LM2 password would be here if we supported it */
713 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
7c7b25bc 714
21e73393
SP		 715 /* calculate nlmv2 response and session key */
716 rc = setup_ntlmv2_rsp(ses, nls_cp);
2b149f11
SP		 717 if (rc) {
718 cERROR(1, "Error %d during NTLMv2 authentication", rc);
2b149f11
SP		 719 goto ssetup_exit;
720 }
21e73393
SP		 721 memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
722 ses->auth_key.len - CIFS_SESS_KEY_SIZE);
723 bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
724
c9928f70
SP		 725 /* set case sensitive password length after tilen may get
726 * assigned, tilen is 0 otherwise.
727 */
728 pSMB->req_no_secext.CaseSensitivePasswordLength =
21e73393 729 cpu_to_le16(ses->auth_key.len);
c9928f70 730
790fe579
SF		 731 if (ses->capabilities & CAP_UNICODE) {
732 if (iov[0].iov_len % 2) {
0223cf0b 733 *bcc_ptr = 0;
26f57364
SF		 734 bcc_ptr++;
735 }
3979877e 736 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b 737 } else
3979877e 738 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
26efa0ba 739 } else if (type == Kerberos) {
2442421b
SF		 740#ifdef CONFIG_CIFS_UPCALL
741 struct cifs_spnego_msg *msg;
21e73393 742
2442421b
SF		 743 spnego_key = cifs_get_spnego_key(ses);
744 if (IS_ERR(spnego_key)) {
745 rc = PTR_ERR(spnego_key);
746 spnego_key = NULL;
747 goto ssetup_exit;
748 }
749
750 msg = spnego_key->payload.data;
6ce5eecb
SF		 751 /* check version field to make sure that cifs.upcall is
752 sending us a response in an expected form */
753 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
b6b38f70 754 cERROR(1, "incorrect version of cifs.upcall (expected"
6ce5eecb 755 " %d but got %d)",
b6b38f70 756 CIFS_SPNEGO_UPCALL_VERSION, msg->version);
6ce5eecb
SF		 757 rc = -EKEYREJECTED;
758 goto ssetup_exit;
759 }
21e73393
SP		 760
761 ses->auth_key.response = kmalloc(msg->sesskey_len, GFP_KERNEL);
762 if (!ses->auth_key.response) {
763 cERROR(1, "Kerberos can't allocate (%u bytes) memory",
764 msg->sesskey_len);
765 rc = -ENOMEM;
2442421b
SF		 766 goto ssetup_exit;
767 }
21e73393 768 memcpy(ses->auth_key.response, msg->data, msg->sesskey_len);
5d0d2882 769 ses->auth_key.len = msg->sesskey_len;
21e73393 770
3979877e
SF		 771 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
772 capabilities |= CAP_EXTENDED_SECURITY;
773 pSMB->req.Capabilities = cpu_to_le32(capabilities);
2442421b
SF		 774 iov[1].iov_base = msg->data + msg->sesskey_len;
775 iov[1].iov_len = msg->secblob_len;
776 pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
777
778 if (ses->capabilities & CAP_UNICODE) {
779 /* unicode strings must be word aligned */
28c5a02a 780 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
2442421b
SF		 781 *bcc_ptr = 0;
782 bcc_ptr++;
783 }
784 unicode_oslm_strings(&bcc_ptr, nls_cp);
785 unicode_domain_string(&bcc_ptr, ses, nls_cp);
786 } else
787 /* BB: is this right? */
788 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
789#else /* ! CONFIG_CIFS_UPCALL */
b6b38f70 790 cERROR(1, "Kerberos negotiated but upcall support disabled!");
2442421b
SF		 791 rc = -ENOSYS;
792 goto ssetup_exit;
793#endif /* CONFIG_CIFS_UPCALL */
794 } else {
0b3cc858 795#ifdef CONFIG_CIFS_EXPERIMENTAL
f46c7234 796 if (type == RawNTLMSSP) {
0b3cc858 797 if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
b6b38f70 798 cERROR(1, "NTLMSSP requires Unicode support");
0b3cc858
SF		 799 rc = -ENOSYS;
800 goto ssetup_exit;
801 }
802
b6b38f70 803 cFYI(1, "ntlmssp session setup phase %d", phase);
0b3cc858
SF		 804 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
805 capabilities |= CAP_EXTENDED_SECURITY;
806 pSMB->req.Capabilities |= cpu_to_le32(capabilities);
807 if (phase == NtLmNegotiate) {
808 setup_ntlmssp_neg_req(pSMB, ses);
809 iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
2b149f11 810 iov[1].iov_base = &pSMB->req.SecurityBlob[0];
0b3cc858 811 } else if (phase == NtLmAuthenticate) {
2b149f11
SP		 812 /* 5 is an empirical value, large enought to
813 * hold authenticate message, max 10 of
814 * av paris, doamin,user,workstation mames,
815 * flags etc..
816 */
817 ntlmsspblob = kmalloc(
818 5*sizeof(struct _AUTHENTICATE_MESSAGE),
819 GFP_KERNEL);
820 if (!ntlmsspblob) {
821 cERROR(1, "Can't allocate NTLMSSP");
822 rc = -ENOMEM;
823 goto ssetup_exit;
824 }
825
89f150f4
SP		 826 rc = build_ntlmssp_auth_blob(ntlmsspblob,
827 &blob_len, ses, nls_cp);
828 if (rc)
829 goto ssetup_exit;
0b3cc858 830 iov[1].iov_len = blob_len;
2b149f11
SP		 831 iov[1].iov_base = ntlmsspblob;
832 pSMB->req.SecurityBlobLength =
833 cpu_to_le16(blob_len);
844823cb
SF		 834 /* Make sure that we tell the server that we
835 are using the uid that it just gave us back
836 on the response (challenge) */
837 smb_buf->Uid = ses->Suid;
0b3cc858 838 } else {
b6b38f70 839 cERROR(1, "invalid phase %d", phase);
0b3cc858
SF		 840 rc = -ENOSYS;
841 goto ssetup_exit;
842 }
0b3cc858
SF		 843 /* unicode strings must be word aligned */
844 if ((iov[0].iov_len + iov[1].iov_len) % 2) {
845 *bcc_ptr = 0;
846 bcc_ptr++;
847 }
848 unicode_oslm_strings(&bcc_ptr, nls_cp);
849 } else {
b6b38f70 850 cERROR(1, "secType %d not supported!", type);
0b3cc858
SF		 851 rc = -ENOSYS;
852 goto ssetup_exit;
853 }
854#else
b6b38f70 855 cERROR(1, "secType %d not supported!", type);
2442421b
SF		 856 rc = -ENOSYS;
857 goto ssetup_exit;
0b3cc858 858#endif
3979877e
SF		 859 }
860
2442421b
SF		 861 iov[2].iov_base = str_area;
862 iov[2].iov_len = (long) bcc_ptr - (long) str_area;
863
864 count = iov[1].iov_len + iov[2].iov_len;
3979877e
SF		 865 smb_buf->smb_buf_length += count;
866
3979877e
SF		 867 BCC_LE(smb_buf) = cpu_to_le16(count);
868
2442421b 869 rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
133672ef 870 CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
3979877e
SF		 871 /* SMB request buf freed in SendReceive2 */
872
3979877e
SF		 873 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
874 smb_buf = (struct smb_hdr *)iov[0].iov_base;
875
0b3cc858
SF		 876 if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
877 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
878 if (phase != NtLmNegotiate) {
b6b38f70 879 cERROR(1, "Unexpected more processing error");
0b3cc858
SF		 880 goto ssetup_exit;
881 }
882 /* NTLMSSP Negotiate sent now processing challenge (response) */
883 phase = NtLmChallenge; /* process ntlmssp challenge */
884 rc = 0; /* MORE_PROC rc is not an error here, but expected */
885 }
886 if (rc)
887 goto ssetup_exit;
888
790fe579 889 if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
3979877e 890 rc = -EIO;
b6b38f70 891 cERROR(1, "bad word count %d", smb_buf->WordCount);
3979877e
SF		 892 goto ssetup_exit;
893 }
894 action = le16_to_cpu(pSMB->resp.Action);
895 if (action & GUEST_LOGIN)
b6b38f70 896 cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
3979877e 897 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
b6b38f70 898 cFYI(1, "UID = %d ", ses->Suid);
3979877e
SF		 899 /* response can have either 3 or 4 word count - Samba sends 3 */
900 /* and lanman response is 3 */
901 bytes_remaining = BCC(smb_buf);
902 bcc_ptr = pByteArea(smb_buf);
903
790fe579 904 if (smb_buf->WordCount == 4) {
3979877e 905 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
790fe579 906 if (blob_len > bytes_remaining) {
b6b38f70 907 cERROR(1, "bad security blob length %d", blob_len);
3979877e
SF		 908 rc = -EINVAL;
909 goto ssetup_exit;
910 }
0b3cc858
SF		 911 if (phase == NtLmChallenge) {
912 rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
913 /* now goto beginning for ntlmssp authenticate phase */
914 if (rc)
915 goto ssetup_exit;
916 }
917 bcc_ptr += blob_len;
3979877e 918 bytes_remaining -= blob_len;
790fe579 919 }
3979877e
SF		 920
921 /* BB check if Unicode and decode strings */
27b87fe5
JL		 922 if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
923 /* unicode string area must be word-aligned */
924 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
925 ++bcc_ptr;
926 --bytes_remaining;
927 }
59140797 928 decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
27b87fe5 929 } else {
63135e08
SF		 930 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
931 ses, nls_cp);
27b87fe5 932 }
50c2f753 933
3979877e 934ssetup_exit:
dfd15c46
JL		 935 if (spnego_key) {
936 key_revoke(spnego_key);
2442421b 937 key_put(spnego_key);
dfd15c46 938 }
750d1151 939 kfree(str_area);
2b149f11
SP		 940 kfree(ntlmsspblob);
941 ntlmsspblob = NULL;
790fe579 942 if (resp_buf_type == CIFS_SMALL_BUFFER) {
b6b38f70 943 cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
3979877e 944 cifs_small_buf_release(iov[0].iov_base);
790fe579 945 } else if (resp_buf_type == CIFS_LARGE_BUFFER)
3979877e
SF		 946 cifs_buf_release(iov[0].iov_base);
947
0b3cc858
SF		 948 /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
949 if ((phase == NtLmChallenge) && (rc == 0))
950 goto ssetup_ntlmssp_authenticate;
951
3979877e
SF		 952 return rc;
953}
Linux kernel - Deliverables
This page took 0.37946 seconds and 5 git commands to generate.