]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * fs/cifs/sess.c | |
3 | * | |
4 | * SMB/CIFS session setup handling routines | |
5 | * | |
6 | * Copyright (c) International Business Machines Corp., 2006, 2009 | |
7 | * Author(s): Steve French (sfrench@us.ibm.com) | |
8 | * | |
9 | * This library is free software; you can redistribute it and/or modify | |
10 | * it under the terms of the GNU Lesser General Public License as published | |
11 | * by the Free Software Foundation; either version 2.1 of the License, or | |
12 | * (at your option) any later version. | |
13 | * | |
14 | * This library is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
17 | * the GNU Lesser General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU Lesser General Public License | |
20 | * along with this library; if not, write to the Free Software | |
21 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
22 | */ | |
23 | ||
24 | #include "cifspdu.h" | |
25 | #include "cifsglob.h" | |
26 | #include "cifsproto.h" | |
27 | #include "cifs_unicode.h" | |
28 | #include "cifs_debug.h" | |
29 | #include "ntlmssp.h" | |
30 | #include "nterr.h" | |
31 | #include <linux/utsname.h> | |
32 | #include <linux/slab.h> | |
33 | #include "cifs_spnego.h" | |
34 | ||
35 | static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB) | |
36 | { | |
37 | __u32 capabilities = 0; | |
38 | ||
39 | /* init fields common to all four types of SessSetup */ | |
40 | /* Note that offsets for first seven fields in req struct are same */ | |
41 | /* in CIFS Specs so does not matter which of 3 forms of struct */ | |
42 | /* that we use in next few lines */ | |
43 | /* Note that header is initialized to zero in header_assemble */ | |
44 | pSMB->req.AndXCommand = 0xFF; | |
45 | pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32, | |
46 | CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4, | |
47 | USHRT_MAX)); | |
48 | pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq); | |
49 | pSMB->req.VcNumber = __constant_cpu_to_le16(1); | |
50 | ||
51 | /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ | |
52 | ||
53 | /* BB verify whether signing required on neg or just on auth frame | |
54 | (and NTLM case) */ | |
55 | ||
56 | capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS | | |
57 | CAP_LARGE_WRITE_X | CAP_LARGE_READ_X; | |
58 | ||
59 | if (ses->server->sign) | |
60 | pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE; | |
61 | ||
62 | if (ses->capabilities & CAP_UNICODE) { | |
63 | pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE; | |
64 | capabilities |= CAP_UNICODE; | |
65 | } | |
66 | if (ses->capabilities & CAP_STATUS32) { | |
67 | pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS; | |
68 | capabilities |= CAP_STATUS32; | |
69 | } | |
70 | if (ses->capabilities & CAP_DFS) { | |
71 | pSMB->req.hdr.Flags2 |= SMBFLG2_DFS; | |
72 | capabilities |= CAP_DFS; | |
73 | } | |
74 | if (ses->capabilities & CAP_UNIX) | |
75 | capabilities |= CAP_UNIX; | |
76 | ||
77 | return capabilities; | |
78 | } | |
79 | ||
80 | static void | |
81 | unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) | |
82 | { | |
83 | char *bcc_ptr = *pbcc_area; | |
84 | int bytes_ret = 0; | |
85 | ||
86 | /* Copy OS version */ | |
87 | bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", 32, | |
88 | nls_cp); | |
89 | bcc_ptr += 2 * bytes_ret; | |
90 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release, | |
91 | 32, nls_cp); | |
92 | bcc_ptr += 2 * bytes_ret; | |
93 | bcc_ptr += 2; /* trailing null */ | |
94 | ||
95 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, | |
96 | 32, nls_cp); | |
97 | bcc_ptr += 2 * bytes_ret; | |
98 | bcc_ptr += 2; /* trailing null */ | |
99 | ||
100 | *pbcc_area = bcc_ptr; | |
101 | } | |
102 | ||
103 | static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, | |
104 | const struct nls_table *nls_cp) | |
105 | { | |
106 | char *bcc_ptr = *pbcc_area; | |
107 | int bytes_ret = 0; | |
108 | ||
109 | /* copy domain */ | |
110 | if (ses->domainName == NULL) { | |
111 | /* Sending null domain better than using a bogus domain name (as | |
112 | we did briefly in 2.6.18) since server will use its default */ | |
113 | *bcc_ptr = 0; | |
114 | *(bcc_ptr+1) = 0; | |
115 | bytes_ret = 0; | |
116 | } else | |
117 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, | |
118 | CIFS_MAX_DOMAINNAME_LEN, nls_cp); | |
119 | bcc_ptr += 2 * bytes_ret; | |
120 | bcc_ptr += 2; /* account for null terminator */ | |
121 | ||
122 | *pbcc_area = bcc_ptr; | |
123 | } | |
124 | ||
125 | ||
126 | static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, | |
127 | const struct nls_table *nls_cp) | |
128 | { | |
129 | char *bcc_ptr = *pbcc_area; | |
130 | int bytes_ret = 0; | |
131 | ||
132 | /* BB FIXME add check that strings total less | |
133 | than 335 or will need to send them as arrays */ | |
134 | ||
135 | /* unicode strings, must be word aligned before the call */ | |
136 | /* if ((long) bcc_ptr % 2) { | |
137 | *bcc_ptr = 0; | |
138 | bcc_ptr++; | |
139 | } */ | |
140 | /* copy user */ | |
141 | if (ses->user_name == NULL) { | |
142 | /* null user mount */ | |
143 | *bcc_ptr = 0; | |
144 | *(bcc_ptr+1) = 0; | |
145 | } else { | |
146 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name, | |
147 | CIFS_MAX_USERNAME_LEN, nls_cp); | |
148 | } | |
149 | bcc_ptr += 2 * bytes_ret; | |
150 | bcc_ptr += 2; /* account for null termination */ | |
151 | ||
152 | unicode_domain_string(&bcc_ptr, ses, nls_cp); | |
153 | unicode_oslm_strings(&bcc_ptr, nls_cp); | |
154 | ||
155 | *pbcc_area = bcc_ptr; | |
156 | } | |
157 | ||
158 | static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, | |
159 | const struct nls_table *nls_cp) | |
160 | { | |
161 | char *bcc_ptr = *pbcc_area; | |
162 | ||
163 | /* copy user */ | |
164 | /* BB what about null user mounts - check that we do this BB */ | |
165 | /* copy user */ | |
166 | if (ses->user_name != NULL) { | |
167 | strncpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); | |
168 | bcc_ptr += strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); | |
169 | } | |
170 | /* else null user mount */ | |
171 | *bcc_ptr = 0; | |
172 | bcc_ptr++; /* account for null termination */ | |
173 | ||
174 | /* copy domain */ | |
175 | if (ses->domainName != NULL) { | |
176 | strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); | |
177 | bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); | |
178 | } /* else we will send a null domain name | |
179 | so the server will default to its own domain */ | |
180 | *bcc_ptr = 0; | |
181 | bcc_ptr++; | |
182 | ||
183 | /* BB check for overflow here */ | |
184 | ||
185 | strcpy(bcc_ptr, "Linux version "); | |
186 | bcc_ptr += strlen("Linux version "); | |
187 | strcpy(bcc_ptr, init_utsname()->release); | |
188 | bcc_ptr += strlen(init_utsname()->release) + 1; | |
189 | ||
190 | strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); | |
191 | bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; | |
192 | ||
193 | *pbcc_area = bcc_ptr; | |
194 | } | |
195 | ||
196 | static void | |
197 | decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses, | |
198 | const struct nls_table *nls_cp) | |
199 | { | |
200 | int len; | |
201 | char *data = *pbcc_area; | |
202 | ||
203 | cifs_dbg(FYI, "bleft %d\n", bleft); | |
204 | ||
205 | kfree(ses->serverOS); | |
206 | ses->serverOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); | |
207 | cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS); | |
208 | len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; | |
209 | data += len; | |
210 | bleft -= len; | |
211 | if (bleft <= 0) | |
212 | return; | |
213 | ||
214 | kfree(ses->serverNOS); | |
215 | ses->serverNOS = cifs_strndup_from_utf16(data, bleft, true, nls_cp); | |
216 | cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS); | |
217 | len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2; | |
218 | data += len; | |
219 | bleft -= len; | |
220 | if (bleft <= 0) | |
221 | return; | |
222 | ||
223 | kfree(ses->serverDomain); | |
224 | ses->serverDomain = cifs_strndup_from_utf16(data, bleft, true, nls_cp); | |
225 | cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain); | |
226 | ||
227 | return; | |
228 | } | |
229 | ||
230 | static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft, | |
231 | struct cifs_ses *ses, | |
232 | const struct nls_table *nls_cp) | |
233 | { | |
234 | int len; | |
235 | char *bcc_ptr = *pbcc_area; | |
236 | ||
237 | cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft); | |
238 | ||
239 | len = strnlen(bcc_ptr, bleft); | |
240 | if (len >= bleft) | |
241 | return; | |
242 | ||
243 | kfree(ses->serverOS); | |
244 | ||
245 | ses->serverOS = kzalloc(len + 1, GFP_KERNEL); | |
246 | if (ses->serverOS) | |
247 | strncpy(ses->serverOS, bcc_ptr, len); | |
248 | if (strncmp(ses->serverOS, "OS/2", 4) == 0) | |
249 | cifs_dbg(FYI, "OS/2 server\n"); | |
250 | ||
251 | bcc_ptr += len + 1; | |
252 | bleft -= len + 1; | |
253 | ||
254 | len = strnlen(bcc_ptr, bleft); | |
255 | if (len >= bleft) | |
256 | return; | |
257 | ||
258 | kfree(ses->serverNOS); | |
259 | ||
260 | ses->serverNOS = kzalloc(len + 1, GFP_KERNEL); | |
261 | if (ses->serverNOS) | |
262 | strncpy(ses->serverNOS, bcc_ptr, len); | |
263 | ||
264 | bcc_ptr += len + 1; | |
265 | bleft -= len + 1; | |
266 | ||
267 | len = strnlen(bcc_ptr, bleft); | |
268 | if (len > bleft) | |
269 | return; | |
270 | ||
271 | /* No domain field in LANMAN case. Domain is | |
272 | returned by old servers in the SMB negprot response */ | |
273 | /* BB For newer servers which do not support Unicode, | |
274 | but thus do return domain here we could add parsing | |
275 | for it later, but it is not very important */ | |
276 | cifs_dbg(FYI, "ascii: bytes left %d\n", bleft); | |
277 | } | |
278 | ||
279 | int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, | |
280 | struct cifs_ses *ses) | |
281 | { | |
282 | unsigned int tioffset; /* challenge message target info area */ | |
283 | unsigned int tilen; /* challenge message target info area length */ | |
284 | ||
285 | CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr; | |
286 | ||
287 | if (blob_len < sizeof(CHALLENGE_MESSAGE)) { | |
288 | cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len); | |
289 | return -EINVAL; | |
290 | } | |
291 | ||
292 | if (memcmp(pblob->Signature, "NTLMSSP", 8)) { | |
293 | cifs_dbg(VFS, "blob signature incorrect %s\n", | |
294 | pblob->Signature); | |
295 | return -EINVAL; | |
296 | } | |
297 | if (pblob->MessageType != NtLmChallenge) { | |
298 | cifs_dbg(VFS, "Incorrect message type %d\n", | |
299 | pblob->MessageType); | |
300 | return -EINVAL; | |
301 | } | |
302 | ||
303 | memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE); | |
304 | /* BB we could decode pblob->NegotiateFlags; some may be useful */ | |
305 | /* In particular we can examine sign flags */ | |
306 | /* BB spec says that if AvId field of MsvAvTimestamp is populated then | |
307 | we must set the MIC field of the AUTHENTICATE_MESSAGE */ | |
308 | ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags); | |
309 | tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); | |
310 | tilen = le16_to_cpu(pblob->TargetInfoArray.Length); | |
311 | if (tioffset > blob_len || tioffset + tilen > blob_len) { | |
312 | cifs_dbg(VFS, "tioffset + tilen too high %u + %u", | |
313 | tioffset, tilen); | |
314 | return -EINVAL; | |
315 | } | |
316 | if (tilen) { | |
317 | ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen, | |
318 | GFP_KERNEL); | |
319 | if (!ses->auth_key.response) { | |
320 | cifs_dbg(VFS, "Challenge target info alloc failure"); | |
321 | return -ENOMEM; | |
322 | } | |
323 | ses->auth_key.len = tilen; | |
324 | } | |
325 | ||
326 | return 0; | |
327 | } | |
328 | ||
329 | /* BB Move to ntlmssp.c eventually */ | |
330 | ||
331 | /* We do not malloc the blob, it is passed in pbuffer, because | |
332 | it is fixed size, and small, making this approach cleaner */ | |
333 | void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, | |
334 | struct cifs_ses *ses) | |
335 | { | |
336 | NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer; | |
337 | __u32 flags; | |
338 | ||
339 | memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE)); | |
340 | memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); | |
341 | sec_blob->MessageType = NtLmNegotiate; | |
342 | ||
343 | /* BB is NTLMV2 session security format easier to use here? */ | |
344 | flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET | | |
345 | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | | |
346 | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC; | |
347 | if (ses->server->sign) { | |
348 | flags |= NTLMSSP_NEGOTIATE_SIGN; | |
349 | if (!ses->server->session_estab || | |
350 | ses->ntlmssp->sesskey_per_smbsess) | |
351 | flags |= NTLMSSP_NEGOTIATE_KEY_XCH; | |
352 | } | |
353 | ||
354 | sec_blob->NegotiateFlags = cpu_to_le32(flags); | |
355 | ||
356 | sec_blob->WorkstationName.BufferOffset = 0; | |
357 | sec_blob->WorkstationName.Length = 0; | |
358 | sec_blob->WorkstationName.MaximumLength = 0; | |
359 | ||
360 | /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */ | |
361 | sec_blob->DomainName.BufferOffset = 0; | |
362 | sec_blob->DomainName.Length = 0; | |
363 | sec_blob->DomainName.MaximumLength = 0; | |
364 | } | |
365 | ||
366 | /* We do not malloc the blob, it is passed in pbuffer, because its | |
367 | maximum possible size is fixed and small, making this approach cleaner. | |
368 | This function returns the length of the data in the blob */ | |
369 | int build_ntlmssp_auth_blob(unsigned char *pbuffer, | |
370 | u16 *buflen, | |
371 | struct cifs_ses *ses, | |
372 | const struct nls_table *nls_cp) | |
373 | { | |
374 | int rc; | |
375 | AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer; | |
376 | __u32 flags; | |
377 | unsigned char *tmp; | |
378 | ||
379 | memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8); | |
380 | sec_blob->MessageType = NtLmAuthenticate; | |
381 | ||
382 | flags = NTLMSSP_NEGOTIATE_56 | | |
383 | NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO | | |
384 | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE | | |
385 | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC; | |
386 | if (ses->server->sign) { | |
387 | flags |= NTLMSSP_NEGOTIATE_SIGN; | |
388 | if (!ses->server->session_estab || | |
389 | ses->ntlmssp->sesskey_per_smbsess) | |
390 | flags |= NTLMSSP_NEGOTIATE_KEY_XCH; | |
391 | } | |
392 | ||
393 | tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE); | |
394 | sec_blob->NegotiateFlags = cpu_to_le32(flags); | |
395 | ||
396 | sec_blob->LmChallengeResponse.BufferOffset = | |
397 | cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE)); | |
398 | sec_blob->LmChallengeResponse.Length = 0; | |
399 | sec_blob->LmChallengeResponse.MaximumLength = 0; | |
400 | ||
401 | sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
402 | rc = setup_ntlmv2_rsp(ses, nls_cp); | |
403 | if (rc) { | |
404 | cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc); | |
405 | goto setup_ntlmv2_ret; | |
406 | } | |
407 | memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE, | |
408 | ses->auth_key.len - CIFS_SESS_KEY_SIZE); | |
409 | tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE; | |
410 | ||
411 | sec_blob->NtChallengeResponse.Length = | |
412 | cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); | |
413 | sec_blob->NtChallengeResponse.MaximumLength = | |
414 | cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); | |
415 | ||
416 | if (ses->domainName == NULL) { | |
417 | sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
418 | sec_blob->DomainName.Length = 0; | |
419 | sec_blob->DomainName.MaximumLength = 0; | |
420 | tmp += 2; | |
421 | } else { | |
422 | int len; | |
423 | len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName, | |
424 | CIFS_MAX_USERNAME_LEN, nls_cp); | |
425 | len *= 2; /* unicode is 2 bytes each */ | |
426 | sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
427 | sec_blob->DomainName.Length = cpu_to_le16(len); | |
428 | sec_blob->DomainName.MaximumLength = cpu_to_le16(len); | |
429 | tmp += len; | |
430 | } | |
431 | ||
432 | if (ses->user_name == NULL) { | |
433 | sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
434 | sec_blob->UserName.Length = 0; | |
435 | sec_blob->UserName.MaximumLength = 0; | |
436 | tmp += 2; | |
437 | } else { | |
438 | int len; | |
439 | len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name, | |
440 | CIFS_MAX_USERNAME_LEN, nls_cp); | |
441 | len *= 2; /* unicode is 2 bytes each */ | |
442 | sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
443 | sec_blob->UserName.Length = cpu_to_le16(len); | |
444 | sec_blob->UserName.MaximumLength = cpu_to_le16(len); | |
445 | tmp += len; | |
446 | } | |
447 | ||
448 | sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
449 | sec_blob->WorkstationName.Length = 0; | |
450 | sec_blob->WorkstationName.MaximumLength = 0; | |
451 | tmp += 2; | |
452 | ||
453 | if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) || | |
454 | (ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) | |
455 | && !calc_seckey(ses)) { | |
456 | memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE); | |
457 | sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
458 | sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE); | |
459 | sec_blob->SessionKey.MaximumLength = | |
460 | cpu_to_le16(CIFS_CPHTXT_SIZE); | |
461 | tmp += CIFS_CPHTXT_SIZE; | |
462 | } else { | |
463 | sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer); | |
464 | sec_blob->SessionKey.Length = 0; | |
465 | sec_blob->SessionKey.MaximumLength = 0; | |
466 | } | |
467 | ||
468 | setup_ntlmv2_ret: | |
469 | *buflen = tmp - pbuffer; | |
470 | return rc; | |
471 | } | |
472 | ||
473 | enum securityEnum | |
474 | select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) | |
475 | { | |
476 | switch (server->negflavor) { | |
477 | case CIFS_NEGFLAVOR_EXTENDED: | |
478 | switch (requested) { | |
479 | case Kerberos: | |
480 | case RawNTLMSSP: | |
481 | return requested; | |
482 | case Unspecified: | |
483 | if (server->sec_ntlmssp && | |
484 | (global_secflags & CIFSSEC_MAY_NTLMSSP)) | |
485 | return RawNTLMSSP; | |
486 | if ((server->sec_kerberos || server->sec_mskerberos) && | |
487 | (global_secflags & CIFSSEC_MAY_KRB5)) | |
488 | return Kerberos; | |
489 | /* Fallthrough */ | |
490 | default: | |
491 | return Unspecified; | |
492 | } | |
493 | case CIFS_NEGFLAVOR_UNENCAP: | |
494 | switch (requested) { | |
495 | case NTLM: | |
496 | case NTLMv2: | |
497 | return requested; | |
498 | case Unspecified: | |
499 | if (global_secflags & CIFSSEC_MAY_NTLMV2) | |
500 | return NTLMv2; | |
501 | if (global_secflags & CIFSSEC_MAY_NTLM) | |
502 | return NTLM; | |
503 | default: | |
504 | /* Fallthrough to attempt LANMAN authentication next */ | |
505 | break; | |
506 | } | |
507 | case CIFS_NEGFLAVOR_LANMAN: | |
508 | switch (requested) { | |
509 | case LANMAN: | |
510 | return requested; | |
511 | case Unspecified: | |
512 | if (global_secflags & CIFSSEC_MAY_LANMAN) | |
513 | return LANMAN; | |
514 | /* Fallthrough */ | |
515 | default: | |
516 | return Unspecified; | |
517 | } | |
518 | default: | |
519 | return Unspecified; | |
520 | } | |
521 | } | |
522 | ||
523 | int | |
524 | CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses, | |
525 | const struct nls_table *nls_cp) | |
526 | { | |
527 | int rc = 0; | |
528 | int wct; | |
529 | struct smb_hdr *smb_buf; | |
530 | char *bcc_ptr; | |
531 | char *str_area; | |
532 | SESSION_SETUP_ANDX *pSMB; | |
533 | __u32 capabilities; | |
534 | __u16 count; | |
535 | int resp_buf_type; | |
536 | struct kvec iov[3]; | |
537 | enum securityEnum type; | |
538 | __u16 action, bytes_remaining; | |
539 | struct key *spnego_key = NULL; | |
540 | __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ | |
541 | u16 blob_len; | |
542 | char *ntlmsspblob = NULL; | |
543 | ||
544 | if (ses == NULL) { | |
545 | WARN(1, "%s: ses == NULL!", __func__); | |
546 | return -EINVAL; | |
547 | } | |
548 | ||
549 | type = select_sectype(ses->server, ses->sectype); | |
550 | cifs_dbg(FYI, "sess setup type %d\n", type); | |
551 | if (type == Unspecified) { | |
552 | cifs_dbg(VFS, | |
553 | "Unable to select appropriate authentication method!"); | |
554 | return -EINVAL; | |
555 | } | |
556 | ||
557 | if (type == RawNTLMSSP) { | |
558 | /* if memory allocation is successful, caller of this function | |
559 | * frees it. | |
560 | */ | |
561 | ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL); | |
562 | if (!ses->ntlmssp) | |
563 | return -ENOMEM; | |
564 | ses->ntlmssp->sesskey_per_smbsess = false; | |
565 | ||
566 | } | |
567 | ||
568 | ssetup_ntlmssp_authenticate: | |
569 | if (phase == NtLmChallenge) | |
570 | phase = NtLmAuthenticate; /* if ntlmssp, now final phase */ | |
571 | ||
572 | if (type == LANMAN) { | |
573 | #ifndef CONFIG_CIFS_WEAK_PW_HASH | |
574 | /* LANMAN and plaintext are less secure and off by default. | |
575 | So we make this explicitly be turned on in kconfig (in the | |
576 | build) and turned on at runtime (changed from the default) | |
577 | in proc/fs/cifs or via mount parm. Unfortunately this is | |
578 | needed for old Win (e.g. Win95), some obscure NAS and OS/2 */ | |
579 | return -EOPNOTSUPP; | |
580 | #endif | |
581 | wct = 10; /* lanman 2 style sessionsetup */ | |
582 | } else if ((type == NTLM) || (type == NTLMv2)) { | |
583 | /* For NTLMv2 failures eventually may need to retry NTLM */ | |
584 | wct = 13; /* old style NTLM sessionsetup */ | |
585 | } else /* same size: negotiate or auth, NTLMSSP or extended security */ | |
586 | wct = 12; | |
587 | ||
588 | rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses, | |
589 | (void **)&smb_buf); | |
590 | if (rc) | |
591 | return rc; | |
592 | ||
593 | pSMB = (SESSION_SETUP_ANDX *)smb_buf; | |
594 | ||
595 | capabilities = cifs_ssetup_hdr(ses, pSMB); | |
596 | ||
597 | /* we will send the SMB in three pieces: | |
598 | a fixed length beginning part, an optional | |
599 | SPNEGO blob (which can be zero length), and a | |
600 | last part which will include the strings | |
601 | and rest of bcc area. This allows us to avoid | |
602 | a large buffer 17K allocation */ | |
603 | iov[0].iov_base = (char *)pSMB; | |
604 | iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4; | |
605 | ||
606 | /* setting this here allows the code at the end of the function | |
607 | to free the request buffer if there's an error */ | |
608 | resp_buf_type = CIFS_SMALL_BUFFER; | |
609 | ||
610 | /* 2000 big enough to fit max user, domain, NOS name etc. */ | |
611 | str_area = kmalloc(2000, GFP_KERNEL); | |
612 | if (str_area == NULL) { | |
613 | rc = -ENOMEM; | |
614 | goto ssetup_exit; | |
615 | } | |
616 | bcc_ptr = str_area; | |
617 | ||
618 | iov[1].iov_base = NULL; | |
619 | iov[1].iov_len = 0; | |
620 | ||
621 | if (type == LANMAN) { | |
622 | #ifdef CONFIG_CIFS_WEAK_PW_HASH | |
623 | char lnm_session_key[CIFS_AUTH_RESP_SIZE]; | |
624 | ||
625 | pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE; | |
626 | ||
627 | /* no capabilities flags in old lanman negotiation */ | |
628 | ||
629 | pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE); | |
630 | ||
631 | /* Calculate hash with password and copy into bcc_ptr. | |
632 | * Encryption Key (stored as in cryptkey) gets used if the | |
633 | * security mode bit in Negottiate Protocol response states | |
634 | * to use challenge/response method (i.e. Password bit is 1). | |
635 | */ | |
636 | ||
637 | rc = calc_lanman_hash(ses->password, ses->server->cryptkey, | |
638 | ses->server->sec_mode & SECMODE_PW_ENCRYPT ? | |
639 | true : false, lnm_session_key); | |
640 | ||
641 | memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE); | |
642 | bcc_ptr += CIFS_AUTH_RESP_SIZE; | |
643 | ||
644 | /* can not sign if LANMAN negotiated so no need | |
645 | to calculate signing key? but what if server | |
646 | changed to do higher than lanman dialect and | |
647 | we reconnected would we ever calc signing_key? */ | |
648 | ||
649 | cifs_dbg(FYI, "Negotiating LANMAN setting up strings\n"); | |
650 | /* Unicode not allowed for LANMAN dialects */ | |
651 | ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); | |
652 | #endif | |
653 | } else if (type == NTLM) { | |
654 | pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); | |
655 | pSMB->req_no_secext.CaseInsensitivePasswordLength = | |
656 | cpu_to_le16(CIFS_AUTH_RESP_SIZE); | |
657 | pSMB->req_no_secext.CaseSensitivePasswordLength = | |
658 | cpu_to_le16(CIFS_AUTH_RESP_SIZE); | |
659 | ||
660 | /* calculate ntlm response and session key */ | |
661 | rc = setup_ntlm_response(ses, nls_cp); | |
662 | if (rc) { | |
663 | cifs_dbg(VFS, "Error %d during NTLM authentication\n", | |
664 | rc); | |
665 | goto ssetup_exit; | |
666 | } | |
667 | ||
668 | /* copy ntlm response */ | |
669 | memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, | |
670 | CIFS_AUTH_RESP_SIZE); | |
671 | bcc_ptr += CIFS_AUTH_RESP_SIZE; | |
672 | memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, | |
673 | CIFS_AUTH_RESP_SIZE); | |
674 | bcc_ptr += CIFS_AUTH_RESP_SIZE; | |
675 | ||
676 | if (ses->capabilities & CAP_UNICODE) { | |
677 | /* unicode strings must be word aligned */ | |
678 | if (iov[0].iov_len % 2) { | |
679 | *bcc_ptr = 0; | |
680 | bcc_ptr++; | |
681 | } | |
682 | unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); | |
683 | } else | |
684 | ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); | |
685 | } else if (type == NTLMv2) { | |
686 | pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities); | |
687 | ||
688 | /* LM2 password would be here if we supported it */ | |
689 | pSMB->req_no_secext.CaseInsensitivePasswordLength = 0; | |
690 | ||
691 | /* calculate nlmv2 response and session key */ | |
692 | rc = setup_ntlmv2_rsp(ses, nls_cp); | |
693 | if (rc) { | |
694 | cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", | |
695 | rc); | |
696 | goto ssetup_exit; | |
697 | } | |
698 | memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE, | |
699 | ses->auth_key.len - CIFS_SESS_KEY_SIZE); | |
700 | bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE; | |
701 | ||
702 | /* set case sensitive password length after tilen may get | |
703 | * assigned, tilen is 0 otherwise. | |
704 | */ | |
705 | pSMB->req_no_secext.CaseSensitivePasswordLength = | |
706 | cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE); | |
707 | ||
708 | if (ses->capabilities & CAP_UNICODE) { | |
709 | if (iov[0].iov_len % 2) { | |
710 | *bcc_ptr = 0; | |
711 | bcc_ptr++; | |
712 | } | |
713 | unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); | |
714 | } else | |
715 | ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); | |
716 | } else if (type == Kerberos) { | |
717 | #ifdef CONFIG_CIFS_UPCALL | |
718 | struct cifs_spnego_msg *msg; | |
719 | ||
720 | spnego_key = cifs_get_spnego_key(ses); | |
721 | if (IS_ERR(spnego_key)) { | |
722 | rc = PTR_ERR(spnego_key); | |
723 | spnego_key = NULL; | |
724 | goto ssetup_exit; | |
725 | } | |
726 | ||
727 | msg = spnego_key->payload.data; | |
728 | /* check version field to make sure that cifs.upcall is | |
729 | sending us a response in an expected form */ | |
730 | if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { | |
731 | cifs_dbg(VFS, "incorrect version of cifs.upcall " | |
732 | "expected %d but got %d)", | |
733 | CIFS_SPNEGO_UPCALL_VERSION, msg->version); | |
734 | rc = -EKEYREJECTED; | |
735 | goto ssetup_exit; | |
736 | } | |
737 | ||
738 | ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, | |
739 | GFP_KERNEL); | |
740 | if (!ses->auth_key.response) { | |
741 | cifs_dbg(VFS, | |
742 | "Kerberos can't allocate (%u bytes) memory", | |
743 | msg->sesskey_len); | |
744 | rc = -ENOMEM; | |
745 | goto ssetup_exit; | |
746 | } | |
747 | ses->auth_key.len = msg->sesskey_len; | |
748 | ||
749 | pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; | |
750 | capabilities |= CAP_EXTENDED_SECURITY; | |
751 | pSMB->req.Capabilities = cpu_to_le32(capabilities); | |
752 | iov[1].iov_base = msg->data + msg->sesskey_len; | |
753 | iov[1].iov_len = msg->secblob_len; | |
754 | pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len); | |
755 | ||
756 | if (ses->capabilities & CAP_UNICODE) { | |
757 | /* unicode strings must be word aligned */ | |
758 | if ((iov[0].iov_len + iov[1].iov_len) % 2) { | |
759 | *bcc_ptr = 0; | |
760 | bcc_ptr++; | |
761 | } | |
762 | unicode_oslm_strings(&bcc_ptr, nls_cp); | |
763 | unicode_domain_string(&bcc_ptr, ses, nls_cp); | |
764 | } else | |
765 | /* BB: is this right? */ | |
766 | ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); | |
767 | #else /* ! CONFIG_CIFS_UPCALL */ | |
768 | cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n"); | |
769 | rc = -ENOSYS; | |
770 | goto ssetup_exit; | |
771 | #endif /* CONFIG_CIFS_UPCALL */ | |
772 | } else if (type == RawNTLMSSP) { | |
773 | if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) { | |
774 | cifs_dbg(VFS, "NTLMSSP requires Unicode support\n"); | |
775 | rc = -ENOSYS; | |
776 | goto ssetup_exit; | |
777 | } | |
778 | ||
779 | cifs_dbg(FYI, "ntlmssp session setup phase %d\n", phase); | |
780 | pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; | |
781 | capabilities |= CAP_EXTENDED_SECURITY; | |
782 | pSMB->req.Capabilities |= cpu_to_le32(capabilities); | |
783 | switch(phase) { | |
784 | case NtLmNegotiate: | |
785 | build_ntlmssp_negotiate_blob( | |
786 | pSMB->req.SecurityBlob, ses); | |
787 | iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE); | |
788 | iov[1].iov_base = pSMB->req.SecurityBlob; | |
789 | pSMB->req.SecurityBlobLength = | |
790 | cpu_to_le16(sizeof(NEGOTIATE_MESSAGE)); | |
791 | break; | |
792 | case NtLmAuthenticate: | |
793 | /* | |
794 | * 5 is an empirical value, large enough to hold | |
795 | * authenticate message plus max 10 of av paris, | |
796 | * domain, user, workstation names, flags, etc. | |
797 | */ | |
798 | ntlmsspblob = kzalloc( | |
799 | 5*sizeof(struct _AUTHENTICATE_MESSAGE), | |
800 | GFP_KERNEL); | |
801 | if (!ntlmsspblob) { | |
802 | rc = -ENOMEM; | |
803 | goto ssetup_exit; | |
804 | } | |
805 | ||
806 | rc = build_ntlmssp_auth_blob(ntlmsspblob, | |
807 | &blob_len, ses, nls_cp); | |
808 | if (rc) | |
809 | goto ssetup_exit; | |
810 | iov[1].iov_len = blob_len; | |
811 | iov[1].iov_base = ntlmsspblob; | |
812 | pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len); | |
813 | /* | |
814 | * Make sure that we tell the server that we are using | |
815 | * the uid that it just gave us back on the response | |
816 | * (challenge) | |
817 | */ | |
818 | smb_buf->Uid = ses->Suid; | |
819 | break; | |
820 | default: | |
821 | cifs_dbg(VFS, "invalid phase %d\n", phase); | |
822 | rc = -ENOSYS; | |
823 | goto ssetup_exit; | |
824 | } | |
825 | /* unicode strings must be word aligned */ | |
826 | if ((iov[0].iov_len + iov[1].iov_len) % 2) { | |
827 | *bcc_ptr = 0; | |
828 | bcc_ptr++; | |
829 | } | |
830 | unicode_oslm_strings(&bcc_ptr, nls_cp); | |
831 | } else { | |
832 | cifs_dbg(VFS, "secType %d not supported!\n", type); | |
833 | rc = -ENOSYS; | |
834 | goto ssetup_exit; | |
835 | } | |
836 | ||
837 | iov[2].iov_base = str_area; | |
838 | iov[2].iov_len = (long) bcc_ptr - (long) str_area; | |
839 | ||
840 | count = iov[1].iov_len + iov[2].iov_len; | |
841 | smb_buf->smb_buf_length = | |
842 | cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count); | |
843 | ||
844 | put_bcc(count, smb_buf); | |
845 | ||
846 | rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type, | |
847 | CIFS_LOG_ERROR); | |
848 | /* SMB request buf freed in SendReceive2 */ | |
849 | ||
850 | pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base; | |
851 | smb_buf = (struct smb_hdr *)iov[0].iov_base; | |
852 | ||
853 | if ((type == RawNTLMSSP) && (resp_buf_type != CIFS_NO_BUFFER) && | |
854 | (smb_buf->Status.CifsError == | |
855 | cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) { | |
856 | if (phase != NtLmNegotiate) { | |
857 | cifs_dbg(VFS, "Unexpected more processing error\n"); | |
858 | goto ssetup_exit; | |
859 | } | |
860 | /* NTLMSSP Negotiate sent now processing challenge (response) */ | |
861 | phase = NtLmChallenge; /* process ntlmssp challenge */ | |
862 | rc = 0; /* MORE_PROC rc is not an error here, but expected */ | |
863 | } | |
864 | if (rc) | |
865 | goto ssetup_exit; | |
866 | ||
867 | if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) { | |
868 | rc = -EIO; | |
869 | cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); | |
870 | goto ssetup_exit; | |
871 | } | |
872 | action = le16_to_cpu(pSMB->resp.Action); | |
873 | if (action & GUEST_LOGIN) | |
874 | cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */ | |
875 | ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ | |
876 | cifs_dbg(FYI, "UID = %llu\n", ses->Suid); | |
877 | /* response can have either 3 or 4 word count - Samba sends 3 */ | |
878 | /* and lanman response is 3 */ | |
879 | bytes_remaining = get_bcc(smb_buf); | |
880 | bcc_ptr = pByteArea(smb_buf); | |
881 | ||
882 | if (smb_buf->WordCount == 4) { | |
883 | blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength); | |
884 | if (blob_len > bytes_remaining) { | |
885 | cifs_dbg(VFS, "bad security blob length %d\n", | |
886 | blob_len); | |
887 | rc = -EINVAL; | |
888 | goto ssetup_exit; | |
889 | } | |
890 | if (phase == NtLmChallenge) { | |
891 | rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); | |
892 | /* now goto beginning for ntlmssp authenticate phase */ | |
893 | if (rc) | |
894 | goto ssetup_exit; | |
895 | } | |
896 | bcc_ptr += blob_len; | |
897 | bytes_remaining -= blob_len; | |
898 | } | |
899 | ||
900 | /* BB check if Unicode and decode strings */ | |
901 | if (bytes_remaining == 0) { | |
902 | /* no string area to decode, do nothing */ | |
903 | } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { | |
904 | /* unicode string area must be word-aligned */ | |
905 | if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { | |
906 | ++bcc_ptr; | |
907 | --bytes_remaining; | |
908 | } | |
909 | decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp); | |
910 | } else { | |
911 | decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp); | |
912 | } | |
913 | ||
914 | ssetup_exit: | |
915 | if (spnego_key) { | |
916 | key_invalidate(spnego_key); | |
917 | key_put(spnego_key); | |
918 | } | |
919 | kfree(str_area); | |
920 | kfree(ntlmsspblob); | |
921 | ntlmsspblob = NULL; | |
922 | if (resp_buf_type == CIFS_SMALL_BUFFER) { | |
923 | cifs_dbg(FYI, "ssetup freeing small buf %p\n", iov[0].iov_base); | |
924 | cifs_small_buf_release(iov[0].iov_base); | |
925 | } else if (resp_buf_type == CIFS_LARGE_BUFFER) | |
926 | cifs_buf_release(iov[0].iov_base); | |
927 | ||
928 | /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */ | |
929 | if ((phase == NtLmChallenge) && (rc == 0)) | |
930 | goto ssetup_ntlmssp_authenticate; | |
931 | ||
932 | if (!rc) { | |
933 | mutex_lock(&ses->server->srv_mutex); | |
934 | if (!ses->server->session_estab) { | |
935 | if (ses->server->sign) { | |
936 | ses->server->session_key.response = | |
937 | kmemdup(ses->auth_key.response, | |
938 | ses->auth_key.len, GFP_KERNEL); | |
939 | if (!ses->server->session_key.response) { | |
940 | rc = -ENOMEM; | |
941 | mutex_unlock(&ses->server->srv_mutex); | |
942 | goto keycp_exit; | |
943 | } | |
944 | ses->server->session_key.len = | |
945 | ses->auth_key.len; | |
946 | } | |
947 | ses->server->sequence_number = 0x2; | |
948 | ses->server->session_estab = true; | |
949 | } | |
950 | mutex_unlock(&ses->server->srv_mutex); | |
951 | ||
952 | cifs_dbg(FYI, "CIFS session established successfully\n"); | |
953 | spin_lock(&GlobalMid_Lock); | |
954 | ses->status = CifsGood; | |
955 | ses->need_reconnect = false; | |
956 | spin_unlock(&GlobalMid_Lock); | |
957 | } | |
958 | ||
959 | keycp_exit: | |
960 | kfree(ses->auth_key.response); | |
961 | ses->auth_key.response = NULL; | |
962 | kfree(ses->ntlmssp); | |
963 | ||
964 | return rc; | |
965 | } |