1
/*
2
 *   fs/cifs/sess.c
3
 *
4
 *   SMB/CIFS session setup handling routines
5
 *
6
 *   Copyright (c) International Business Machines  Corp., 2006, 2009
7
 *   Author(s): Steve French ([email protected])
8
 *
9
 *   This library is free software; you can redistribute it and/or modify
10
 *   it under the terms of the GNU Lesser General Public License as published
11
 *   by the Free Software Foundation; either version 2.1 of the License, or
12
 *   (at your option) any later version.
13
 *
14
 *   This library is distributed in the hope that it will be useful,
15
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
16
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
17
 *   the GNU Lesser General Public License for more details.
18
 *
19
 *   You should have received a copy of the GNU Lesser General Public License
20
 *   along with this library; if not, write to the Free Software
21
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22
 */
23

24
#include "cifspdu.h"
25
#include "cifsglob.h"
26
#include "cifsproto.h"
27
#include "cifs_unicode.h"
28
#include "cifs_debug.h"
29
#include "ntlmssp.h"
30
#include "nterr.h"
31
#include <linux/utsname.h>
32
#include <linux/slab.h>
33
#include "cifs_spnego.h"
34

35
/*
36
 * Checks if this is the first smb session to be reconnected after
37
 * the socket has been reestablished (so we know whether to use vc 0).
38
 * Called while holding the cifs_tcp_ses_lock, so do not block
39
 */
40
static bool is_first_ses_reconnect(struct cifs_ses *ses)
41
{
42
	struct list_head *tmp;
43
	struct cifs_ses *tmp_ses;
44

45
	list_for_each(tmp, &ses->server->smb_ses_list) {
46
		tmp_ses = list_entry(tmp, struct cifs_ses,
47
				     smb_ses_list);
48
		if (tmp_ses->need_reconnect == false)
49
			return false;
50
	}
51
	/* could not find a session that was already connected,
52
	   this must be the first one we are reconnecting */
53
	return true;
54
}
55

56
/*
57
 *	vc number 0 is treated specially by some servers, and should be the
58
 *      first one we request.  After that we can use vcnumbers up to maxvcs,
59
 *	one for each smb session (some Windows versions set maxvcs incorrectly
60
 *	so maxvc=1 can be ignored).  If we have too many vcs, we can reuse
61
 *	any vc but zero (some servers reset the connection on vcnum zero)
62
 *
63
 */
64
static __le16 get_next_vcnum(struct cifs_ses *ses)
65
{
66
	__u16 vcnum = 0;
67
	struct list_head *tmp;
68
	struct cifs_ses *tmp_ses;
69
	__u16 max_vcs = ses->server->max_vcs;
70
	__u16 i;
71
	int free_vc_found = 0;
72

73
	/* Quoting the MS-SMB specification: "Windows-based SMB servers set this
74
	field to one but do not enforce this limit, which allows an SMB client
75
	to establish more virtual circuits than allowed by this value ... but
76
	other server implementations can enforce this limit." */
77
	if (max_vcs < 2)
78
		max_vcs = 0xFFFF;
79

80
	spin_lock(&cifs_tcp_ses_lock);
81
	if ((ses->need_reconnect) && is_first_ses_reconnect(ses))
82
			goto get_vc_num_exit;  /* vcnum will be zero */
83
	for (i = ses->server->srv_count - 1; i < max_vcs; i++) {
84
		if (i == 0) /* this is the only connection, use vc 0 */
85
			break;
86

87
		free_vc_found = 1;
88

89
		list_for_each(tmp, &ses->server->smb_ses_list) {
90
			tmp_ses = list_entry(tmp, struct cifs_ses,
91
					     smb_ses_list);
92
			if (tmp_ses->vcnum == i) {
93
				free_vc_found = 0;
94
				break; /* found duplicate, try next vcnum */
95
			}
96
		}
97
		if (free_vc_found)
98
			break; /* we found a vcnumber that will work - use it */
99
	}
100

101
	if (i == 0)
102
		vcnum = 0; /* for most common case, ie if one smb session, use
103
			      vc zero.  Also for case when no free vcnum, zero
104
			      is safest to send (some clients only send zero) */
105
	else if (free_vc_found == 0)
106
		vcnum = 1;  /* we can not reuse vc=0 safely, since some servers
107
				reset all uids on that, but 1 is ok. */
108
	else
109
		vcnum = i;
110
	ses->vcnum = vcnum;
111
get_vc_num_exit:
112
	spin_unlock(&cifs_tcp_ses_lock);
113

114
	return cpu_to_le16(vcnum);
115
}
116

117
static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
118
{
119
	__u32 capabilities = 0;
120

121
	/* init fields common to all four types of SessSetup */
122
	/* Note that offsets for first seven fields in req struct are same  */
123
	/*	in CIFS Specs so does not matter which of 3 forms of struct */
124
	/*	that we use in next few lines                               */
125
	/* Note that header is initialized to zero in header_assemble */
126
	pSMB->req.AndXCommand = 0xFF;
127
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
128
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
129
	pSMB->req.VcNumber = get_next_vcnum(ses);
130

131
	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
132

133
	/* BB verify whether signing required on neg or just on auth frame
134
	   (and NTLM case) */
135

136
	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
137
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
138

139
	if (ses->server->sec_mode &
140
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
141
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
142

143
	if (ses->capabilities & CAP_UNICODE) {
144
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
145
		capabilities |= CAP_UNICODE;
146
	}
147
	if (ses->capabilities & CAP_STATUS32) {
148
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
149
		capabilities |= CAP_STATUS32;
150
	}
151
	if (ses->capabilities & CAP_DFS) {
152
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
153
		capabilities |= CAP_DFS;
154
	}
155
	if (ses->capabilities & CAP_UNIX)
156
		capabilities |= CAP_UNIX;
157

158
	return capabilities;
159
}
160

161
static void
162
unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
163
{
164
	char *bcc_ptr = *pbcc_area;
165
	int bytes_ret = 0;
166

167
	/* Copy OS version */
168
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
169
				  nls_cp);
170
	bcc_ptr += 2 * bytes_ret;
171
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
172
				  32, nls_cp);
173
	bcc_ptr += 2 * bytes_ret;
174
	bcc_ptr += 2; /* trailing null */
175

176
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
177
				  32, nls_cp);
178
	bcc_ptr += 2 * bytes_ret;
179
	bcc_ptr += 2; /* trailing null */
180

181
	*pbcc_area = bcc_ptr;
182
}
183

184
static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
185
				   const struct nls_table *nls_cp)
186
{
187
	char *bcc_ptr = *pbcc_area;
188
	int bytes_ret = 0;
189

190
	/* copy domain */
191
	if (ses->domainName == NULL) {
192
		/* Sending null domain better than using a bogus domain name (as
193
		we did briefly in 2.6.18) since server will use its default */
194
		*bcc_ptr = 0;
195
		*(bcc_ptr+1) = 0;
196
		bytes_ret = 0;
197
	} else
198
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
199
					  256, nls_cp);
200
	bcc_ptr += 2 * bytes_ret;
201
	bcc_ptr += 2;  /* account for null terminator */
202

203
	*pbcc_area = bcc_ptr;
204
}
205

206

207
static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
208
				   const struct nls_table *nls_cp)
209
{
210
	char *bcc_ptr = *pbcc_area;
211
	int bytes_ret = 0;
212

213
	/* BB FIXME add check that strings total less
214
	than 335 or will need to send them as arrays */
215

216
	/* unicode strings, must be word aligned before the call */
217
/*	if ((long) bcc_ptr % 2)	{
218
		*bcc_ptr = 0;
219
		bcc_ptr++;
220
	} */
221
	/* copy user */
222
	if (ses->user_name == NULL) {
223
		/* null user mount */
224
		*bcc_ptr = 0;
225
		*(bcc_ptr+1) = 0;
226
	} else {
227
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->user_name,
228
					  MAX_USERNAME_SIZE, nls_cp);
229
	}
230
	bcc_ptr += 2 * bytes_ret;
231
	bcc_ptr += 2; /* account for null termination */
232

233
	unicode_domain_string(&bcc_ptr, ses, nls_cp);
234
	unicode_oslm_strings(&bcc_ptr, nls_cp);
235

236
	*pbcc_area = bcc_ptr;
237
}
238

239
static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
240
				 const struct nls_table *nls_cp)
241
{
242
	char *bcc_ptr = *pbcc_area;
243

244
	/* copy user */
245
	/* BB what about null user mounts - check that we do this BB */
246
	/* copy user */
247
	if (ses->user_name != NULL)
248
		strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE);
249
	/* else null user mount */
250

251
	bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
252
	*bcc_ptr = 0;
253
	bcc_ptr++; /* account for null termination */
254

255
	/* copy domain */
256

257
	if (ses->domainName != NULL) {
258
		strncpy(bcc_ptr, ses->domainName, 256);
259
		bcc_ptr += strnlen(ses->domainName, 256);
260
	} /* else we will send a null domain name
261
	     so the server will default to its own domain */
262
	*bcc_ptr = 0;
263
	bcc_ptr++;
264

265
	/* BB check for overflow here */
266

267
	strcpy(bcc_ptr, "Linux version ");
268
	bcc_ptr += strlen("Linux version ");
269
	strcpy(bcc_ptr, init_utsname()->release);
270
	bcc_ptr += strlen(init_utsname()->release) + 1;
271

272
	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
273
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
274

275
	*pbcc_area = bcc_ptr;
276
}
277

278
static void
279
decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifs_ses *ses,
280
		      const struct nls_table *nls_cp)
281
{
282
	int len;
283
	char *data = *pbcc_area;
284

285
	cFYI(1, "bleft %d", bleft);
286

287
	kfree(ses->serverOS);
288
	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
289
	cFYI(1, "serverOS=%s", ses->serverOS);
290
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
291
	data += len;
292
	bleft -= len;
293
	if (bleft <= 0)
294
		return;
295

296
	kfree(ses->serverNOS);
297
	ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
298
	cFYI(1, "serverNOS=%s", ses->serverNOS);
299
	len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
300
	data += len;
301
	bleft -= len;
302
	if (bleft <= 0)
303
		return;
304

305
	kfree(ses->serverDomain);
306
	ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
307
	cFYI(1, "serverDomain=%s", ses->serverDomain);
308

309
	return;
310
}
311

312
static int decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
313
			       struct cifs_ses *ses,
314
			       const struct nls_table *nls_cp)
315
{
316
	int rc = 0;
317
	int len;
318
	char *bcc_ptr = *pbcc_area;
319

320
	cFYI(1, "decode sessetup ascii. bleft %d", bleft);
321

322
	len = strnlen(bcc_ptr, bleft);
323
	if (len >= bleft)
324
		return rc;
325

326
	kfree(ses->serverOS);
327

328
	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
329
	if (ses->serverOS)
330
		strncpy(ses->serverOS, bcc_ptr, len);
331
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
332
			cFYI(1, "OS/2 server");
333
			ses->flags |= CIFS_SES_OS2;
334
	}
335

336
	bcc_ptr += len + 1;
337
	bleft -= len + 1;
338

339
	len = strnlen(bcc_ptr, bleft);
340
	if (len >= bleft)
341
		return rc;
342

343
	kfree(ses->serverNOS);
344

345
	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
346
	if (ses->serverNOS)
347
		strncpy(ses->serverNOS, bcc_ptr, len);
348

349
	bcc_ptr += len + 1;
350
	bleft -= len + 1;
351

352
	len = strnlen(bcc_ptr, bleft);
353
	if (len > bleft)
354
		return rc;
355

356
	/* No domain field in LANMAN case. Domain is
357
	   returned by old servers in the SMB negprot response */
358
	/* BB For newer servers which do not support Unicode,
359
	   but thus do return domain here we could add parsing
360
	   for it later, but it is not very important */
361
	cFYI(1, "ascii: bytes left %d", bleft);
362

363
	return rc;
364
}
365

366
static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
367
				    struct cifs_ses *ses)
368
{
369
	unsigned int tioffset; /* challenge message target info area */
370
	unsigned int tilen; /* challenge message target info area length  */
371

372
	CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
373

374
	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
375
		cERROR(1, "challenge blob len %d too small", blob_len);
376
		return -EINVAL;
377
	}
378

379
	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
380
		cERROR(1, "blob signature incorrect %s", pblob->Signature);
381
		return -EINVAL;
382
	}
383
	if (pblob->MessageType != NtLmChallenge) {
384
		cERROR(1, "Incorrect message type %d", pblob->MessageType);
385
		return -EINVAL;
386
	}
387

388
	memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
389
	/* BB we could decode pblob->NegotiateFlags; some may be useful */
390
	/* In particular we can examine sign flags */
391
	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
392
		we must set the MIC field of the AUTHENTICATE_MESSAGE */
393
	ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
394
	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
395
	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
396
	if (tilen) {
397
		ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
398
		if (!ses->auth_key.response) {
399
			cERROR(1, "Challenge target info allocation failure");
400
			return -ENOMEM;
401
		}
402
		memcpy(ses->auth_key.response, bcc_ptr + tioffset, tilen);
403
		ses->auth_key.len = tilen;
404
	}
405

406
	return 0;
407
}
408

409
/* BB Move to ntlmssp.c eventually */
410

411
/* We do not malloc the blob, it is passed in pbuffer, because
412
   it is fixed size, and small, making this approach cleaner */
413
static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
414
					 struct cifs_ses *ses)
415
{
416
	NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
417
	__u32 flags;
418

419
	memset(pbuffer, 0, sizeof(NEGOTIATE_MESSAGE));
420
	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
421
	sec_blob->MessageType = NtLmNegotiate;
422

423
	/* BB is NTLMV2 session security format easier to use here? */
424
	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
425
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
426
		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
427
	if (ses->server->sec_mode &
428
			(SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
429
		flags |= NTLMSSP_NEGOTIATE_SIGN;
430
		if (!ses->server->session_estab)
431
			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
432
	}
433

434
	sec_blob->NegotiateFlags = cpu_to_le32(flags);
435

436
	sec_blob->WorkstationName.BufferOffset = 0;
437
	sec_blob->WorkstationName.Length = 0;
438
	sec_blob->WorkstationName.MaximumLength = 0;
439

440
	/* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
441
	sec_blob->DomainName.BufferOffset = 0;
442
	sec_blob->DomainName.Length = 0;
443
	sec_blob->DomainName.MaximumLength = 0;
444
}
445

446
/* We do not malloc the blob, it is passed in pbuffer, because its
447
   maximum possible size is fixed and small, making this approach cleaner.
448
   This function returns the length of the data in the blob */
449
static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
450
					u16 *buflen,
451
				   struct cifs_ses *ses,
452
				   const struct nls_table *nls_cp)
453
{
454
	int rc;
455
	AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
456
	__u32 flags;
457
	unsigned char *tmp;
458

459
	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
460
	sec_blob->MessageType = NtLmAuthenticate;
461

462
	flags = NTLMSSP_NEGOTIATE_56 |
463
		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
464
		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
465
		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
466
	if (ses->server->sec_mode &
467
	   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
468
		flags |= NTLMSSP_NEGOTIATE_SIGN;
469
		if (!ses->server->session_estab)
470
			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
471
	}
472

473
	tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
474
	sec_blob->NegotiateFlags = cpu_to_le32(flags);
475

476
	sec_blob->LmChallengeResponse.BufferOffset =
477
				cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
478
	sec_blob->LmChallengeResponse.Length = 0;
479
	sec_blob->LmChallengeResponse.MaximumLength = 0;
480

481
	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
482
	rc = setup_ntlmv2_rsp(ses, nls_cp);
483
	if (rc) {
484
		cERROR(1, "Error %d during NTLMSSP authentication", rc);
485
		goto setup_ntlmv2_ret;
486
	}
487
	memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
488
			ses->auth_key.len - CIFS_SESS_KEY_SIZE);
489
	tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
490

491
	sec_blob->NtChallengeResponse.Length =
492
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
493
	sec_blob->NtChallengeResponse.MaximumLength =
494
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
495

496
	if (ses->domainName == NULL) {
497
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
498
		sec_blob->DomainName.Length = 0;
499
		sec_blob->DomainName.MaximumLength = 0;
500
		tmp += 2;
501
	} else {
502
		int len;
503
		len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
504
				    MAX_USERNAME_SIZE, nls_cp);
505
		len *= 2; /* unicode is 2 bytes each */
506
		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
507
		sec_blob->DomainName.Length = cpu_to_le16(len);
508
		sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
509
		tmp += len;
510
	}
511

512
	if (ses->user_name == NULL) {
513
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
514
		sec_blob->UserName.Length = 0;
515
		sec_blob->UserName.MaximumLength = 0;
516
		tmp += 2;
517
	} else {
518
		int len;
519
		len = cifs_strtoUCS((__le16 *)tmp, ses->user_name,
520
				    MAX_USERNAME_SIZE, nls_cp);
521
		len *= 2; /* unicode is 2 bytes each */
522
		sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
523
		sec_blob->UserName.Length = cpu_to_le16(len);
524
		sec_blob->UserName.MaximumLength = cpu_to_le16(len);
525
		tmp += len;
526
	}
527

528
	sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
529
	sec_blob->WorkstationName.Length = 0;
530
	sec_blob->WorkstationName.MaximumLength = 0;
531
	tmp += 2;
532

533
	if (((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) ||
534
		(ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
535
			&& !calc_seckey(ses)) {
536
		memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
537
		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
538
		sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
539
		sec_blob->SessionKey.MaximumLength =
540
				cpu_to_le16(CIFS_CPHTXT_SIZE);
541
		tmp += CIFS_CPHTXT_SIZE;
542
	} else {
543
		sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
544
		sec_blob->SessionKey.Length = 0;
545
		sec_blob->SessionKey.MaximumLength = 0;
546
	}
547

548
setup_ntlmv2_ret:
549
	*buflen = tmp - pbuffer;
550
	return rc;
551
}
552

553
int
554
CIFS_SessSetup(unsigned int xid, struct cifs_ses *ses,
555
	       const struct nls_table *nls_cp)
556
{
557
	int rc = 0;
558
	int wct;
559
	struct smb_hdr *smb_buf;
560
	char *bcc_ptr;
561
	char *str_area;
562
	SESSION_SETUP_ANDX *pSMB;
563
	__u32 capabilities;
564
	__u16 count;
565
	int resp_buf_type;
566
	struct kvec iov[3];
567
	enum securityEnum type;
568
	__u16 action, bytes_remaining;
569
	struct key *spnego_key = NULL;
570
	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
571
	u16 blob_len;
572
	char *ntlmsspblob = NULL;
573

574
	if (ses == NULL)
575
		return -EINVAL;
576

577
	type = ses->server->secType;
578
	cFYI(1, "sess setup type %d", type);
579
	if (type == RawNTLMSSP) {
580
		/* if memory allocation is successful, caller of this function
581
		 * frees it.
582
		 */
583
		ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
584
		if (!ses->ntlmssp)
585
			return -ENOMEM;
586
	}
587

588
ssetup_ntlmssp_authenticate:
589
	if (phase == NtLmChallenge)
590
		phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
591

592
	if (type == LANMAN) {
593
#ifndef CONFIG_CIFS_WEAK_PW_HASH
594
		/* LANMAN and plaintext are less secure and off by default.
595
		So we make this explicitly be turned on in kconfig (in the
596
		build) and turned on at runtime (changed from the default)
597
		in proc/fs/cifs or via mount parm.  Unfortunately this is
598
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
599
		return -EOPNOTSUPP;
600
#endif
601
		wct = 10; /* lanman 2 style sessionsetup */
602
	} else if ((type == NTLM) || (type == NTLMv2)) {
603
		/* For NTLMv2 failures eventually may need to retry NTLM */
604
		wct = 13; /* old style NTLM sessionsetup */
605
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
606
		wct = 12;
607

608
	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
609
			    (void **)&smb_buf);
610
	if (rc)
611
		return rc;
612

613
	pSMB = (SESSION_SETUP_ANDX *)smb_buf;
614

615
	capabilities = cifs_ssetup_hdr(ses, pSMB);
616

617
	/* we will send the SMB in three pieces:
618
	a fixed length beginning part, an optional
619
	SPNEGO blob (which can be zero length), and a
620
	last part which will include the strings
621
	and rest of bcc area. This allows us to avoid
622
	a large buffer 17K allocation */
623
	iov[0].iov_base = (char *)pSMB;
624
	iov[0].iov_len = be32_to_cpu(smb_buf->smb_buf_length) + 4;
625

626
	/* setting this here allows the code at the end of the function
627
	   to free the request buffer if there's an error */
628
	resp_buf_type = CIFS_SMALL_BUFFER;
629

630
	/* 2000 big enough to fit max user, domain, NOS name etc. */
631
	str_area = kmalloc(2000, GFP_KERNEL);
632
	if (str_area == NULL) {
633
		rc = -ENOMEM;
634
		goto ssetup_exit;
635
	}
636
	bcc_ptr = str_area;
637

638
	ses->flags &= ~CIFS_SES_LANMAN;
639

640
	iov[1].iov_base = NULL;
641
	iov[1].iov_len = 0;
642

643
	if (type == LANMAN) {
644
#ifdef CONFIG_CIFS_WEAK_PW_HASH
645
		char lnm_session_key[CIFS_AUTH_RESP_SIZE];
646

647
		pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
648

649
		/* no capabilities flags in old lanman negotiation */
650

651
		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
652

653
		/* Calculate hash with password and copy into bcc_ptr.
654
		 * Encryption Key (stored as in cryptkey) gets used if the
655
		 * security mode bit in Negottiate Protocol response states
656
		 * to use challenge/response method (i.e. Password bit is 1).
657
		 */
658

659
		rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
660
				 ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
661
					true : false, lnm_session_key);
662

663
		ses->flags |= CIFS_SES_LANMAN;
664
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
665
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
666

667
		/* can not sign if LANMAN negotiated so no need
668
		to calculate signing key? but what if server
669
		changed to do higher than lanman dialect and
670
		we reconnected would we ever calc signing_key? */
671

672
		cFYI(1, "Negotiating LANMAN setting up strings");
673
		/* Unicode not allowed for LANMAN dialects */
674
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
675
#endif
676
	} else if (type == NTLM) {
677
		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
678
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
679
			cpu_to_le16(CIFS_AUTH_RESP_SIZE);
680
		pSMB->req_no_secext.CaseSensitivePasswordLength =
681
			cpu_to_le16(CIFS_AUTH_RESP_SIZE);
682

683
		/* calculate ntlm response and session key */
684
		rc = setup_ntlm_response(ses);
685
		if (rc) {
686
			cERROR(1, "Error %d during NTLM authentication", rc);
687
			goto ssetup_exit;
688
		}
689

690
		/* copy ntlm response */
691
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
692
				CIFS_AUTH_RESP_SIZE);
693
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
694
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
695
				CIFS_AUTH_RESP_SIZE);
696
		bcc_ptr += CIFS_AUTH_RESP_SIZE;
697

698
		if (ses->capabilities & CAP_UNICODE) {
699
			/* unicode strings must be word aligned */
700
			if (iov[0].iov_len % 2) {
701
				*bcc_ptr = 0;
702
				bcc_ptr++;
703
			}
704
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
705
		} else
706
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
707
	} else if (type == NTLMv2) {
708
		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
709

710
		/* LM2 password would be here if we supported it */
711
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
712

713
		/* calculate nlmv2 response and session key */
714
		rc = setup_ntlmv2_rsp(ses, nls_cp);
715
		if (rc) {
716
			cERROR(1, "Error %d during NTLMv2 authentication", rc);
717
			goto ssetup_exit;
718
		}
719
		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
720
				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
721
		bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
722

723
		/* set case sensitive password length after tilen may get
724
		 * assigned, tilen is 0 otherwise.
725
		 */
726
		pSMB->req_no_secext.CaseSensitivePasswordLength =
727
			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
728

729
		if (ses->capabilities & CAP_UNICODE) {
730
			if (iov[0].iov_len % 2) {
731
				*bcc_ptr = 0;
732
				bcc_ptr++;
733
			}
734
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
735
		} else
736
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
737
	} else if (type == Kerberos) {
738
#ifdef CONFIG_CIFS_UPCALL
739
		struct cifs_spnego_msg *msg;
740

741
		spnego_key = cifs_get_spnego_key(ses);
742
		if (IS_ERR(spnego_key)) {
743
			rc = PTR_ERR(spnego_key);
744
			spnego_key = NULL;
745
			goto ssetup_exit;
746
		}
747

748
		msg = spnego_key->payload.data;
749
		/* check version field to make sure that cifs.upcall is
750
		   sending us a response in an expected form */
751
		if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
752
			cERROR(1, "incorrect version of cifs.upcall (expected"
753
				   " %d but got %d)",
754
				   CIFS_SPNEGO_UPCALL_VERSION, msg->version);
755
			rc = -EKEYREJECTED;
756
			goto ssetup_exit;
757
		}
758

759
		ses->auth_key.response = kmalloc(msg->sesskey_len, GFP_KERNEL);
760
		if (!ses->auth_key.response) {
761
			cERROR(1, "Kerberos can't allocate (%u bytes) memory",
762
					msg->sesskey_len);
763
			rc = -ENOMEM;
764
			goto ssetup_exit;
765
		}
766
		memcpy(ses->auth_key.response, msg->data, msg->sesskey_len);
767
		ses->auth_key.len = msg->sesskey_len;
768

769
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
770
		capabilities |= CAP_EXTENDED_SECURITY;
771
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
772
		iov[1].iov_base = msg->data + msg->sesskey_len;
773
		iov[1].iov_len = msg->secblob_len;
774
		pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
775

776
		if (ses->capabilities & CAP_UNICODE) {
777
			/* unicode strings must be word aligned */
778
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
779
				*bcc_ptr = 0;
780
				bcc_ptr++;
781
			}
782
			unicode_oslm_strings(&bcc_ptr, nls_cp);
783
			unicode_domain_string(&bcc_ptr, ses, nls_cp);
784
		} else
785
		/* BB: is this right? */
786
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
787
#else /* ! CONFIG_CIFS_UPCALL */
788
		cERROR(1, "Kerberos negotiated but upcall support disabled!");
789
		rc = -ENOSYS;
790
		goto ssetup_exit;
791
#endif /* CONFIG_CIFS_UPCALL */
792
	} else if (type == RawNTLMSSP) {
793
		if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
794
			cERROR(1, "NTLMSSP requires Unicode support");
795
			rc = -ENOSYS;
796
			goto ssetup_exit;
797
		}
798

799
		cFYI(1, "ntlmssp session setup phase %d", phase);
800
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
801
		capabilities |= CAP_EXTENDED_SECURITY;
802
		pSMB->req.Capabilities |= cpu_to_le32(capabilities);
803
		switch(phase) {
804
		case NtLmNegotiate:
805
			build_ntlmssp_negotiate_blob(
806
				pSMB->req.SecurityBlob, ses);
807
			iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
808
			iov[1].iov_base = pSMB->req.SecurityBlob;
809
			pSMB->req.SecurityBlobLength =
810
				cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
811
			break;
812
		case NtLmAuthenticate:
813
			/*
814
			 * 5 is an empirical value, large enough to hold
815
			 * authenticate message plus max 10 of av paris,
816
			 * domain, user, workstation names, flags, etc.
817
			 */
818
			ntlmsspblob = kzalloc(
819
				5*sizeof(struct _AUTHENTICATE_MESSAGE),
820
				GFP_KERNEL);
821
			if (!ntlmsspblob) {
822
				cERROR(1, "Can't allocate NTLMSSP blob");
823
				rc = -ENOMEM;
824
				goto ssetup_exit;
825
			}
826

827
			rc = build_ntlmssp_auth_blob(ntlmsspblob,
828
						&blob_len, ses, nls_cp);
829
			if (rc)
830
				goto ssetup_exit;
831
			iov[1].iov_len = blob_len;
832
			iov[1].iov_base = ntlmsspblob;
833
			pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
834
			/*
835
			 * Make sure that we tell the server that we are using
836
			 * the uid that it just gave us back on the response
837
			 * (challenge)
838
			 */
839
			smb_buf->Uid = ses->Suid;
840
			break;
841
		default:
842
			cERROR(1, "invalid phase %d", phase);
843
			rc = -ENOSYS;
844
			goto ssetup_exit;
845
		}
846
		/* unicode strings must be word aligned */
847
		if ((iov[0].iov_len + iov[1].iov_len) % 2) {
848
			*bcc_ptr = 0;
849
			bcc_ptr++;
850
		}
851
		unicode_oslm_strings(&bcc_ptr, nls_cp);
852
	} else {
853
		cERROR(1, "secType %d not supported!", type);
854
		rc = -ENOSYS;
855
		goto ssetup_exit;
856
	}
857

858
	iov[2].iov_base = str_area;
859
	iov[2].iov_len = (long) bcc_ptr - (long) str_area;
860

861
	count = iov[1].iov_len + iov[2].iov_len;
862
	smb_buf->smb_buf_length =
863
		cpu_to_be32(be32_to_cpu(smb_buf->smb_buf_length) + count);
864

865
	put_bcc(count, smb_buf);
866

867
	rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
868
			  CIFS_LOG_ERROR);
869
	/* SMB request buf freed in SendReceive2 */
870

871
	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
872
	smb_buf = (struct smb_hdr *)iov[0].iov_base;
873

874
	if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
875
			cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
876
		if (phase != NtLmNegotiate) {
877
			cERROR(1, "Unexpected more processing error");
878
			goto ssetup_exit;
879
		}
880
		/* NTLMSSP Negotiate sent now processing challenge (response) */
881
		phase = NtLmChallenge; /* process ntlmssp challenge */
882
		rc = 0; /* MORE_PROC rc is not an error here, but expected */
883
	}
884
	if (rc)
885
		goto ssetup_exit;
886

887
	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
888
		rc = -EIO;
889
		cERROR(1, "bad word count %d", smb_buf->WordCount);
890
		goto ssetup_exit;
891
	}
892
	action = le16_to_cpu(pSMB->resp.Action);
893
	if (action & GUEST_LOGIN)
894
		cFYI(1, "Guest login"); /* BB mark SesInfo struct? */
895
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
896
	cFYI(1, "UID = %d ", ses->Suid);
897
	/* response can have either 3 or 4 word count - Samba sends 3 */
898
	/* and lanman response is 3 */
899
	bytes_remaining = get_bcc(smb_buf);
900
	bcc_ptr = pByteArea(smb_buf);
901

902
	if (smb_buf->WordCount == 4) {
903
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
904
		if (blob_len > bytes_remaining) {
905
			cERROR(1, "bad security blob length %d", blob_len);
906
			rc = -EINVAL;
907
			goto ssetup_exit;
908
		}
909
		if (phase == NtLmChallenge) {
910
			rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
911
			/* now goto beginning for ntlmssp authenticate phase */
912
			if (rc)
913
				goto ssetup_exit;
914
		}
915
		bcc_ptr += blob_len;
916
		bytes_remaining -= blob_len;
917
	}
918

919
	/* BB check if Unicode and decode strings */
920
	if (bytes_remaining == 0) {
921
		/* no string area to decode, do nothing */
922
	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
923
		/* unicode string area must be word-aligned */
924
		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
925
			++bcc_ptr;
926
			--bytes_remaining;
927
		}
928
		decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
929
	} else {
930
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
931
					 ses, nls_cp);
932
	}
933

934
ssetup_exit:
935
	if (spnego_key) {
936
		key_revoke(spnego_key);
937
		key_put(spnego_key);
938
	}
939
	kfree(str_area);
940
	kfree(ntlmsspblob);
941
	ntlmsspblob = NULL;
942
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
943
		cFYI(1, "ssetup freeing small buf %p", iov[0].iov_base);
944
		cifs_small_buf_release(iov[0].iov_base);
945
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
946
		cifs_buf_release(iov[0].iov_base);
947

948
	/* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
949
	if ((phase == NtLmChallenge) && (rc == 0))
950
		goto ssetup_ntlmssp_authenticate;
951

952
	return rc;
953
}
954

955