1 files changed, 297 insertions, 76 deletions
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 5c68b4282be9..897a052270f9 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -3,7 +3,7 @@
 *
 *   SMB/CIFS session setup handling routines
 *
- *   Copyright (c) International Business Machines  Corp., 2006, 2007
+ *   Copyright (c) International Business Machines  Corp., 2006, 2009
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
@@ -111,7 +111,7 @@ static __le16 get_next_vcnum(struct cifsSesInfo *ses)
 get_vc_num_exit:
        write_unlock(&cifs_tcp_ses_lock);
-        return le16_to_cpu(vcnum);
+        return cpu_to_le16(vcnum);
 }
 static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
@@ -277,85 +277,51 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
        *pbcc_area = bcc_ptr;
 }
-static int decode_unicode_ssetup(char **pbcc_area, int bleft,
+static void
-                                 struct cifsSesInfo *ses,
+decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
-                                 const struct nls_table *nls_cp)
+                      const struct nls_table *nls_cp)
 {
-        int rc = 0;
+        int len;
-        int words_left, len;
        char *data = *pbcc_area;
        cFYI(1, ("bleft %d", bleft));
+        /*
-        /* SMB header is unaligned, so cifs servers word align start of
+         * Windows servers do not always double null terminate their final
-           Unicode strings */
+         * Unicode string. Check to see if there are an uneven number of bytes
-        data++;
+         * left. If so, then add an extra NULL pad byte to the end of the
-        bleft--; /* Windows servers do not always double null terminate
+         * response.
-                    their final Unicode string - in which case we
+         *
-                    now will not attempt to decode the byte of junk
+         * See section 2.7.2 in "Implementing CIFS" for details
-                    which follows it */
+         */
+        if (bleft % 2) {
-        words_left = bleft / 2;
+                data[bleft] = 0;
+                ++bleft;
-        /* save off server operating system */
+        }
-        len = UniStrnlen((wchar_t *) data, words_left);
-/* We look for obvious messed up bcc or strings in response so we do not go off
-   the end since (at least) WIN2K and Windows XP have a major bug in not null
-   terminating last Unicode string in response  */
-        if (len >= words_left)
-                return rc;
        kfree(ses->serverOS);
-        /* UTF-8 string will not grow more than four times as big as UCS-16 */
+        ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
-        ses->serverOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);
+        cFYI(1, ("serverOS=%s", ses->serverOS));
-        if (ses->serverOS != NULL)
+        len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
-                cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len, nls_cp);
+        data += len;
-        data += 2 * (len + 1);
+        bleft -= len;
-        words_left -= len + 1;
+        if (bleft <= 0)
+                return;
-        /* save off server network operating system */
-        len = UniStrnlen((wchar_t *) data, words_left);
-        if (len >= words_left)
-                return rc;
        kfree(ses->serverNOS);
-        ses->serverNOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);
+        ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
-        if (ses->serverNOS != NULL) {
+        cFYI(1, ("serverNOS=%s", ses->serverNOS));
-                cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
+        len = (UniStrnlen((wchar_t *) data, bleft / 2) * 2) + 2;
-                                   nls_cp);
+        data += len;
-                if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
+        bleft -= len;
-                        cFYI(1, ("NT4 server"));
+        if (bleft <= 0)
-                        ses->flags |= CIFS_SES_NT4;
+                return;
-                }
-        }
-        data += 2 * (len + 1);
-        words_left -= len + 1;
-        /* save off server domain */
-        len = UniStrnlen((wchar_t *) data, words_left);
-        if (len > words_left)
-                return rc;
        kfree(ses->serverDomain);
-        ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
+        ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
-        if (ses->serverDomain != NULL) {
+        cFYI(1, ("serverDomain=%s", ses->serverDomain));
-                cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
-                                   nls_cp);
-                ses->serverDomain[2*len] = 0;
-                ses->serverDomain[(2*len) + 1] = 0;
-        }
-        data += 2 * (len + 1);
-        words_left -= len + 1;
-        cFYI(1, ("words left: %d", words_left));
+        return;
-        return rc;
 }
 static int decode_ascii_ssetup(char **pbcc_area, int bleft,
@@ -412,6 +378,186 @@ static int decode_ascii_ssetup(char **pbcc_area, int bleft,
        return rc;
 }
+static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
+                                    struct cifsSesInfo *ses)
+{
+        CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
+        if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
+                cERROR(1, ("challenge blob len %d too small", blob_len));
+                return -EINVAL;
+        }
+        if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
+                cERROR(1, ("blob signature incorrect %s", pblob->Signature));
+                return -EINVAL;
+        }
+        if (pblob->MessageType != NtLmChallenge) {
+                cERROR(1, ("Incorrect message type %d", pblob->MessageType));
+                return -EINVAL;
+        }
+        memcpy(ses->server->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
+        /* BB we could decode pblob->NegotiateFlags; some may be useful */
+        /* In particular we can examine sign flags */
+        /* BB spec says that if AvId field of MsvAvTimestamp is populated then
+                we must set the MIC field of the AUTHENTICATE_MESSAGE */
+        return 0;
+}
+#ifdef CONFIG_CIFS_EXPERIMENTAL
+/* BB Move to ntlmssp.c eventually */
+/* We do not malloc the blob, it is passed in pbuffer, because
+   it is fixed size, and small, making this approach cleaner */
+static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
+                                         struct cifsSesInfo *ses)
+{
+        NEGOTIATE_MESSAGE *sec_blob = (NEGOTIATE_MESSAGE *)pbuffer;
+        __u32 flags;
+        memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
+        sec_blob->MessageType = NtLmNegotiate;
+        /* BB is NTLMV2 session security format easier to use here? */
+        flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
+                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
+                NTLMSSP_NEGOTIATE_NT_ONLY | NTLMSSP_NEGOTIATE_NTLM;
+        if (ses->server->secMode &
+           (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
+                flags |= NTLMSSP_NEGOTIATE_SIGN;
+        if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
+                flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+        sec_blob->NegotiateFlags |= cpu_to_le32(flags);
+        sec_blob->WorkstationName.BufferOffset = 0;
+        sec_blob->WorkstationName.Length = 0;
+        sec_blob->WorkstationName.MaximumLength = 0;
+        /* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
+        sec_blob->DomainName.BufferOffset = 0;
+        sec_blob->DomainName.Length = 0;
+        sec_blob->DomainName.MaximumLength = 0;
+}
+/* We do not malloc the blob, it is passed in pbuffer, because its
+   maximum possible size is fixed and small, making this approach cleaner.
+   This function returns the length of the data in the blob */
+static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
+                                   struct cifsSesInfo *ses,
+                                   const struct nls_table *nls_cp, int first)
+{
+        AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
+        __u32 flags;
+        unsigned char *tmp;
+        char ntlm_session_key[CIFS_SESS_KEY_SIZE];
+        memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
+        sec_blob->MessageType = NtLmAuthenticate;
+        flags = NTLMSSP_NEGOTIATE_56 |
+                NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
+                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
+                NTLMSSP_NEGOTIATE_NT_ONLY | NTLMSSP_NEGOTIATE_NTLM;
+        if (ses->server->secMode &
+           (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
+                flags |= NTLMSSP_NEGOTIATE_SIGN;
+        if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
+                flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+        tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
+        sec_blob->NegotiateFlags |= cpu_to_le32(flags);
+        sec_blob->LmChallengeResponse.BufferOffset =
+                                cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
+        sec_blob->LmChallengeResponse.Length = 0;
+        sec_blob->LmChallengeResponse.MaximumLength = 0;
+        /* calculate session key,  BB what about adding similar ntlmv2 path? */
+        SMBNTencrypt(ses->password, ses->server->cryptKey, ntlm_session_key);
+        if (first)
+                cifs_calculate_mac_key(&ses->server->mac_signing_key,
+                                       ntlm_session_key, ses->password);
+        memcpy(tmp, ntlm_session_key, CIFS_SESS_KEY_SIZE);
+        sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
+        sec_blob->NtChallengeResponse.Length = cpu_to_le16(CIFS_SESS_KEY_SIZE);
+        sec_blob->NtChallengeResponse.MaximumLength =
+                                cpu_to_le16(CIFS_SESS_KEY_SIZE);
+        tmp += CIFS_SESS_KEY_SIZE;
+        if (ses->domainName == NULL) {
+                sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+                sec_blob->DomainName.Length = 0;
+                sec_blob->DomainName.MaximumLength = 0;
+                tmp += 2;
+        } else {
+                int len;
+                len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
+                                    MAX_USERNAME_SIZE, nls_cp);
+                len *= 2; /* unicode is 2 bytes each */
+                len += 2; /* trailing null */
+                sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+                sec_blob->DomainName.Length = cpu_to_le16(len);
+                sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
+                tmp += len;
+        }
+        if (ses->userName == NULL) {
+                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+                sec_blob->UserName.Length = 0;
+                sec_blob->UserName.MaximumLength = 0;
+                tmp += 2;
+        } else {
+                int len;
+                len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
+                                    MAX_USERNAME_SIZE, nls_cp);
+                len *= 2; /* unicode is 2 bytes each */
+                len += 2; /* trailing null */
+                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+                sec_blob->UserName.Length = cpu_to_le16(len);
+                sec_blob->UserName.MaximumLength = cpu_to_le16(len);
+                tmp += len;
+        }
+        sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+        sec_blob->WorkstationName.Length = 0;
+        sec_blob->WorkstationName.MaximumLength = 0;
+        tmp += 2;
+        sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
+        sec_blob->SessionKey.Length = 0;
+        sec_blob->SessionKey.MaximumLength = 0;
+        return tmp - pbuffer;
+}
+static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
+                                 struct cifsSesInfo *ses)
+{
+        build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
+        pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
+        return;
+}
+static int setup_ntlmssp_auth_req(SESSION_SETUP_ANDX *pSMB,
+                                  struct cifsSesInfo *ses,
+                                  const struct nls_table *nls, int first_time)
+{
+        int bloblen;
+        bloblen = build_ntlmssp_auth_blob(&pSMB->req.SecurityBlob[0], ses, nls,
+                                          first_time);
+        pSMB->req.SecurityBlobLength = cpu_to_le16(bloblen);
+        return bloblen;
+}
+#endif
 int
 CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
                const struct nls_table *nls_cp)
@@ -430,6 +576,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
        __u16 action;
        int bytes_remaining;
        struct key *spnego_key = NULL;
+        __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
        if (ses == NULL)
                return -EINVAL;
@@ -437,6 +584,10 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
        type = ses->server->secType;
        cFYI(1, ("sess setup type %d", type));
+ssetup_ntlmssp_authenticate:
+        if (phase == NtLmChallenge)
+                phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
        if (type == LANMAN) {
 #ifndef CONFIG_CIFS_WEAK_PW_HASH
                /* LANMAN and plaintext are less secure and off by default.
@@ -650,9 +801,53 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
                goto ssetup_exit;
 #endif /* CONFIG_CIFS_UPCALL */
        } else {
+#ifdef CONFIG_CIFS_EXPERIMENTAL
+                if ((experimEnabled > 1) && (type == RawNTLMSSP)) {
+                        if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
+                                cERROR(1, ("NTLMSSP requires Unicode support"));
+                                rc = -ENOSYS;
+                                goto ssetup_exit;
+                        }
+                        cFYI(1, ("ntlmssp session setup phase %d", phase));
+                        pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
+                        capabilities |= CAP_EXTENDED_SECURITY;
+                        pSMB->req.Capabilities |= cpu_to_le32(capabilities);
+                        if (phase == NtLmNegotiate) {
+                                setup_ntlmssp_neg_req(pSMB, ses);
+                                iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
+                        } else if (phase == NtLmAuthenticate) {
+                                int blob_len;
+                                blob_len = setup_ntlmssp_auth_req(pSMB, ses,
+                                                                  nls_cp,
+                                                                  first_time);
+                                iov[1].iov_len = blob_len;
+                                /* Make sure that we tell the server that we
+                                   are using the uid that it just gave us back
+                                   on the response (challenge) */
+                                smb_buf->Uid = ses->Suid;
+                        } else {
+                                cERROR(1, ("invalid phase %d", phase));
+                                rc = -ENOSYS;
+                                goto ssetup_exit;
+                        }
+                        iov[1].iov_base = &pSMB->req.SecurityBlob[0];
+                        /* unicode strings must be word aligned */
+                        if ((iov[0].iov_len + iov[1].iov_len) % 2) {
+                                *bcc_ptr = 0;
+                                bcc_ptr++;
+                        }
+                        unicode_oslm_strings(&bcc_ptr, nls_cp);
+                } else {
+                        cERROR(1, ("secType %d not supported!", type));
+                        rc = -ENOSYS;
+                        goto ssetup_exit;
+                }
+#else
                cERROR(1, ("secType %d not supported!", type));
                rc = -ENOSYS;
                goto ssetup_exit;
+#endif
        }
        iov[2].iov_base = str_area;
@@ -668,12 +863,23 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
        /* SMB request buf freed in SendReceive2 */
        cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
-        if (rc)
-                goto ssetup_exit;
        pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
        smb_buf = (struct smb_hdr *)iov[0].iov_base;
+        if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
+                        cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
+                if (phase != NtLmNegotiate) {
+                        cERROR(1, ("Unexpected more processing error"));
+                        goto ssetup_exit;
+                }
+                /* NTLMSSP Negotiate sent now processing challenge (response) */
+                phase = NtLmChallenge; /* process ntlmssp challenge */
+                rc = 0; /* MORE_PROC rc is not an error here, but expected */
+        }
+        if (rc)
+                goto ssetup_exit;
        if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
                rc = -EIO;
                cERROR(1, ("bad word count %d", smb_buf->WordCount));
@@ -692,22 +898,33 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
        if (smb_buf->WordCount == 4) {
                __u16 blob_len;
                blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
-                bcc_ptr += blob_len;
                if (blob_len > bytes_remaining) {
                        cERROR(1, ("bad security blob length %d", blob_len));
                        rc = -EINVAL;
                        goto ssetup_exit;
                }
+                if (phase == NtLmChallenge) {
+                        rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
+                        /* now goto beginning for ntlmssp authenticate phase */
+                        if (rc)
+                                goto ssetup_exit;
+                }
+                bcc_ptr += blob_len;
                bytes_remaining -= blob_len;
        }
        /* BB check if Unicode and decode strings */
-        if (smb_buf->Flags2 & SMBFLG2_UNICODE)
+        if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
-                rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
+                /* unicode string area must be word-aligned */
-                                                   ses, nls_cp);
+                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
-        else
+                        ++bcc_ptr;
+                        --bytes_remaining;
+                }
+                decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
+        } else {
                rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
                                         ses, nls_cp);
+        }
 ssetup_exit:
        if (spnego_key) {
@@ -721,5 +938,9 @@ ssetup_exit:
        } else if (resp_buf_type == CIFS_LARGE_BUFFER)
                cifs_buf_release(iov[0].iov_base);
+        /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
+        if ((phase == NtLmChallenge) && (rc == 0))
+                goto ssetup_ntlmssp_authenticate;
        return rc;
 }

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 5c68b4282be9..897a052270f9 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c
@@ -3,7 +3,7 @@
3	*	3	*
4	* SMB/CIFS session setup handling routines	4	* SMB/CIFS session setup handling routines
5	*	5	*
6	* Copyright (c) International Business Machines Corp., 2006, 2007	6	* Copyright (c) International Business Machines Corp., 2006, 2009
7	* Author(s): Steve French (sfrench@us.ibm.com)	7	* Author(s): Steve French (sfrench@us.ibm.com)
8	*	8	*
9	* This library is free software; you can redistribute it and/or modify	9	* This library is free software; you can redistribute it and/or modify
@@ -111,7 +111,7 @@ static __le16 get_next_vcnum(struct cifsSesInfo *ses)
111	get_vc_num_exit:	111	get_vc_num_exit:
112	write_unlock(&cifs_tcp_ses_lock);	112	write_unlock(&cifs_tcp_ses_lock);
113		113
114	return le16_to_cpu(vcnum);	114	return cpu_to_le16(vcnum);
115	}	115	}
116		116
117	static __u32 cifs_ssetup_hdr(struct cifsSesInfo ses, SESSION_SETUP_ANDX pSMB)	117	static __u32 cifs_ssetup_hdr(struct cifsSesInfo ses, SESSION_SETUP_ANDX pSMB)
@@ -277,85 +277,51 @@ static void ascii_ssetup_strings(char *pbcc_area, struct cifsSesInfo ses,
277	*pbcc_area = bcc_ptr;	277	*pbcc_area = bcc_ptr;
278	}	278	}
279		279
280	static int decode_unicode_ssetup(char **pbcc_area, int bleft,	280	static void
281	struct cifsSesInfo *ses,	281	decode_unicode_ssetup(char *pbcc_area, int bleft, struct cifsSesInfo ses,
282	const struct nls_table *nls_cp)	282	const struct nls_table *nls_cp)
283	{	283	{
284	int rc = 0;	284	int len;
285	int words_left, len;
286	char data = pbcc_area;	285	char data = pbcc_area;
287		286
288
289
290	cFYI(1, ("bleft %d", bleft));	287	cFYI(1, ("bleft %d", bleft));
291		288
292		289	/*
293	/* SMB header is unaligned, so cifs servers word align start of	290	* Windows servers do not always double null terminate their final
294	Unicode strings */	291	* Unicode string. Check to see if there are an uneven number of bytes
295	data++;	292	* left. If so, then add an extra NULL pad byte to the end of the
296	bleft--; /* Windows servers do not always double null terminate	293	* response.
297	their final Unicode string - in which case we	294	*
298	now will not attempt to decode the byte of junk	295	* See section 2.7.2 in "Implementing CIFS" for details
299	which follows it */	296	*/
300		297	if (bleft % 2) {
301	words_left = bleft / 2;	298	data[bleft] = 0;
302		299	++bleft;
303	/* save off server operating system */	300	}
304	len = UniStrnlen((wchar_t *) data, words_left);
305
306	/* We look for obvious messed up bcc or strings in response so we do not go off
307	the end since (at least) WIN2K and Windows XP have a major bug in not null
308	terminating last Unicode string in response */
309	if (len >= words_left)
310	return rc;
311		301
312	kfree(ses->serverOS);	302	kfree(ses->serverOS);
313	/* UTF-8 string will not grow more than four times as big as UCS-16 */	303	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
314	ses->serverOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);	304	cFYI(1, ("serverOS=%s", ses->serverOS));
315	if (ses->serverOS != NULL)	305	len = (UniStrnlen((wchar_t ) data, bleft / 2) 2) + 2;
316	cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len, nls_cp);	306	data += len;
317	data += 2 * (len + 1);	307	bleft -= len;
318	words_left -= len + 1;	308	if (bleft <= 0)
319		309	return;
320	/* save off server network operating system */
321	len = UniStrnlen((wchar_t *) data, words_left);
322
323	if (len >= words_left)
324	return rc;
325		310
326	kfree(ses->serverNOS);	311	kfree(ses->serverNOS);
327	ses->serverNOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);	312	ses->serverNOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
328	if (ses->serverNOS != NULL) {	313	cFYI(1, ("serverNOS=%s", ses->serverNOS));
329	cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,	314	len = (UniStrnlen((wchar_t ) data, bleft / 2) 2) + 2;
330	nls_cp);	315	data += len;
331	if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {	316	bleft -= len;
332	cFYI(1, ("NT4 server"));	317	if (bleft <= 0)
333	ses->flags \|= CIFS_SES_NT4;	318	return;
334	}
335	}
336	data += 2 * (len + 1);
337	words_left -= len + 1;
338
339	/* save off server domain */
340	len = UniStrnlen((wchar_t *) data, words_left);
341
342	if (len > words_left)
343	return rc;
344		319
345	kfree(ses->serverDomain);	320	kfree(ses->serverDomain);
346	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */	321	ses->serverDomain = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
347	if (ses->serverDomain != NULL) {	322	cFYI(1, ("serverDomain=%s", ses->serverDomain));
348	cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
349	nls_cp);
350	ses->serverDomain[2*len] = 0;
351	ses->serverDomain[(2*len) + 1] = 0;
352	}
353	data += 2 * (len + 1);
354	words_left -= len + 1;
355		323
356	cFYI(1, ("words left: %d", words_left));	324	return;
357
358	return rc;
359	}	325	}
360		326
361	static int decode_ascii_ssetup(char **pbcc_area, int bleft,	327	static int decode_ascii_ssetup(char **pbcc_area, int bleft,
@@ -412,6 +378,186 @@ static int decode_ascii_ssetup(char **pbcc_area, int bleft,
412	return rc;	378	return rc;
413	}	379	}
414		380
		381	static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
		382	struct cifsSesInfo *ses)
		383	{
		384	CHALLENGE_MESSAGE pblob = (CHALLENGE_MESSAGE )bcc_ptr;
		385
		386	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
		387	cERROR(1, ("challenge blob len %d too small", blob_len));
		388	return -EINVAL;
		389	}
		390
		391	if (memcmp(pblob->Signature, "NTLMSSP", 8)) {
		392	cERROR(1, ("blob signature incorrect %s", pblob->Signature));
		393	return -EINVAL;
		394	}
		395	if (pblob->MessageType != NtLmChallenge) {
		396	cERROR(1, ("Incorrect message type %d", pblob->MessageType));
		397	return -EINVAL;
		398	}
		399
		400	memcpy(ses->server->cryptKey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
		401	/* BB we could decode pblob->NegotiateFlags; some may be useful */
		402	/* In particular we can examine sign flags */
		403	/* BB spec says that if AvId field of MsvAvTimestamp is populated then
		404	we must set the MIC field of the AUTHENTICATE_MESSAGE */
		405
		406	return 0;
		407	}
		408
		409	#ifdef CONFIG_CIFS_EXPERIMENTAL
		410	/* BB Move to ntlmssp.c eventually */
		411
		412	/* We do not malloc the blob, it is passed in pbuffer, because
		413	it is fixed size, and small, making this approach cleaner */
		414	static void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
		415	struct cifsSesInfo *ses)
		416	{
		417	NEGOTIATE_MESSAGE sec_blob = (NEGOTIATE_MESSAGE )pbuffer;
		418	__u32 flags;
		419
		420	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
		421	sec_blob->MessageType = NtLmNegotiate;
		422
		423	/* BB is NTLMV2 session security format easier to use here? */
		424	flags = NTLMSSP_NEGOTIATE_56 \| NTLMSSP_REQUEST_TARGET \|
		425	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|
		426	NTLMSSP_NEGOTIATE_NT_ONLY \| NTLMSSP_NEGOTIATE_NTLM;
		427	if (ses->server->secMode &
		428	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
		429	flags \|= NTLMSSP_NEGOTIATE_SIGN;
		430	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		431	flags \|= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
		432
		433	sec_blob->NegotiateFlags \|= cpu_to_le32(flags);
		434
		435	sec_blob->WorkstationName.BufferOffset = 0;
		436	sec_blob->WorkstationName.Length = 0;
		437	sec_blob->WorkstationName.MaximumLength = 0;
		438
		439	/* Domain name is sent on the Challenge not Negotiate NTLMSSP request */
		440	sec_blob->DomainName.BufferOffset = 0;
		441	sec_blob->DomainName.Length = 0;
		442	sec_blob->DomainName.MaximumLength = 0;
		443	}
		444
		445	/* We do not malloc the blob, it is passed in pbuffer, because its
		446	maximum possible size is fixed and small, making this approach cleaner.
		447	This function returns the length of the data in the blob */
		448	static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
		449	struct cifsSesInfo *ses,
		450	const struct nls_table *nls_cp, int first)
		451	{
		452	AUTHENTICATE_MESSAGE sec_blob = (AUTHENTICATE_MESSAGE )pbuffer;
		453	__u32 flags;
		454	unsigned char *tmp;
		455	char ntlm_session_key[CIFS_SESS_KEY_SIZE];
		456
		457	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
		458	sec_blob->MessageType = NtLmAuthenticate;
		459
		460	flags = NTLMSSP_NEGOTIATE_56 \|
		461	NTLMSSP_REQUEST_TARGET \| NTLMSSP_NEGOTIATE_TARGET_INFO \|
		462	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|
		463	NTLMSSP_NEGOTIATE_NT_ONLY \| NTLMSSP_NEGOTIATE_NTLM;
		464	if (ses->server->secMode &
		465	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
		466	flags \|= NTLMSSP_NEGOTIATE_SIGN;
		467	if (ses->server->secMode & SECMODE_SIGN_REQUIRED)
		468	flags \|= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
		469
		470	tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
		471	sec_blob->NegotiateFlags \|= cpu_to_le32(flags);
		472
		473	sec_blob->LmChallengeResponse.BufferOffset =
		474	cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
		475	sec_blob->LmChallengeResponse.Length = 0;
		476	sec_blob->LmChallengeResponse.MaximumLength = 0;
		477
		478	/* calculate session key, BB what about adding similar ntlmv2 path? */
		479	SMBNTencrypt(ses->password, ses->server->cryptKey, ntlm_session_key);
		480	if (first)
		481	cifs_calculate_mac_key(&ses->server->mac_signing_key,
		482	ntlm_session_key, ses->password);
		483
		484	memcpy(tmp, ntlm_session_key, CIFS_SESS_KEY_SIZE);
		485	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
		486	sec_blob->NtChallengeResponse.Length = cpu_to_le16(CIFS_SESS_KEY_SIZE);
		487	sec_blob->NtChallengeResponse.MaximumLength =
		488	cpu_to_le16(CIFS_SESS_KEY_SIZE);
		489
		490	tmp += CIFS_SESS_KEY_SIZE;
		491
		492	if (ses->domainName == NULL) {
		493	sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		494	sec_blob->DomainName.Length = 0;
		495	sec_blob->DomainName.MaximumLength = 0;
		496	tmp += 2;
		497	} else {
		498	int len;
		499	len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
		500	MAX_USERNAME_SIZE, nls_cp);
		501	len = 2; / unicode is 2 bytes each */
		502	len += 2; /* trailing null */
		503	sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		504	sec_blob->DomainName.Length = cpu_to_le16(len);
		505	sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
		506	tmp += len;
		507	}
		508
		509	if (ses->userName == NULL) {
		510	sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		511	sec_blob->UserName.Length = 0;
		512	sec_blob->UserName.MaximumLength = 0;
		513	tmp += 2;
		514	} else {
		515	int len;
		516	len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
		517	MAX_USERNAME_SIZE, nls_cp);
		518	len = 2; / unicode is 2 bytes each */
		519	len += 2; /* trailing null */
		520	sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		521	sec_blob->UserName.Length = cpu_to_le16(len);
		522	sec_blob->UserName.MaximumLength = cpu_to_le16(len);
		523	tmp += len;
		524	}
		525
		526	sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
		527	sec_blob->WorkstationName.Length = 0;
		528	sec_blob->WorkstationName.MaximumLength = 0;
		529	tmp += 2;
		530
		531	sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
		532	sec_blob->SessionKey.Length = 0;
		533	sec_blob->SessionKey.MaximumLength = 0;
		534	return tmp - pbuffer;
		535	}
		536
		537
		538	static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
		539	struct cifsSesInfo *ses)
		540	{
		541	build_ntlmssp_negotiate_blob(&pSMB->req.SecurityBlob[0], ses);
		542	pSMB->req.SecurityBlobLength = cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
		543
		544	return;
		545	}
		546
		547	static int setup_ntlmssp_auth_req(SESSION_SETUP_ANDX *pSMB,
		548	struct cifsSesInfo *ses,
		549	const struct nls_table *nls, int first_time)
		550	{
		551	int bloblen;
		552
		553	bloblen = build_ntlmssp_auth_blob(&pSMB->req.SecurityBlob[0], ses, nls,
		554	first_time);
		555	pSMB->req.SecurityBlobLength = cpu_to_le16(bloblen);
		556
		557	return bloblen;
		558	}
		559	#endif
		560
415	int	561	int
416	CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,	562	CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
417	const struct nls_table *nls_cp)	563	const struct nls_table *nls_cp)
@@ -430,6 +576,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
430	__u16 action;	576	__u16 action;
431	int bytes_remaining;	577	int bytes_remaining;
432	struct key *spnego_key = NULL;	578	struct key *spnego_key = NULL;
		579	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
433		580
434	if (ses == NULL)	581	if (ses == NULL)
435	return -EINVAL;	582	return -EINVAL;
@@ -437,6 +584,10 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
437	type = ses->server->secType;	584	type = ses->server->secType;
438		585
439	cFYI(1, ("sess setup type %d", type));	586	cFYI(1, ("sess setup type %d", type));
		587	ssetup_ntlmssp_authenticate:
		588	if (phase == NtLmChallenge)
		589	phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
		590
440	if (type == LANMAN) {	591	if (type == LANMAN) {
441	#ifndef CONFIG_CIFS_WEAK_PW_HASH	592	#ifndef CONFIG_CIFS_WEAK_PW_HASH
442	/* LANMAN and plaintext are less secure and off by default.	593	/* LANMAN and plaintext are less secure and off by default.
@@ -650,9 +801,53 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
650	goto ssetup_exit;	801	goto ssetup_exit;
651	#endif /* CONFIG_CIFS_UPCALL */	802	#endif /* CONFIG_CIFS_UPCALL */
652	} else {	803	} else {
		804	#ifdef CONFIG_CIFS_EXPERIMENTAL
		805	if ((experimEnabled > 1) && (type == RawNTLMSSP)) {
		806	if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
		807	cERROR(1, ("NTLMSSP requires Unicode support"));
		808	rc = -ENOSYS;
		809	goto ssetup_exit;
		810	}
		811
		812	cFYI(1, ("ntlmssp session setup phase %d", phase));
		813	pSMB->req.hdr.Flags2 \|= SMBFLG2_EXT_SEC;
		814	capabilities \|= CAP_EXTENDED_SECURITY;
		815	pSMB->req.Capabilities \|= cpu_to_le32(capabilities);
		816	if (phase == NtLmNegotiate) {
		817	setup_ntlmssp_neg_req(pSMB, ses);
		818	iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
		819	} else if (phase == NtLmAuthenticate) {
		820	int blob_len;
		821	blob_len = setup_ntlmssp_auth_req(pSMB, ses,
		822	nls_cp,
		823	first_time);
		824	iov[1].iov_len = blob_len;
		825	/* Make sure that we tell the server that we
		826	are using the uid that it just gave us back
		827	on the response (challenge) */
		828	smb_buf->Uid = ses->Suid;
		829	} else {
		830	cERROR(1, ("invalid phase %d", phase));
		831	rc = -ENOSYS;
		832	goto ssetup_exit;
		833	}
		834	iov[1].iov_base = &pSMB->req.SecurityBlob[0];
		835	/* unicode strings must be word aligned */
		836	if ((iov[0].iov_len + iov[1].iov_len) % 2) {
		837	*bcc_ptr = 0;
		838	bcc_ptr++;
		839	}
		840	unicode_oslm_strings(&bcc_ptr, nls_cp);
		841	} else {
		842	cERROR(1, ("secType %d not supported!", type));
		843	rc = -ENOSYS;
		844	goto ssetup_exit;
		845	}
		846	#else
653	cERROR(1, ("secType %d not supported!", type));	847	cERROR(1, ("secType %d not supported!", type));
654	rc = -ENOSYS;	848	rc = -ENOSYS;
655	goto ssetup_exit;	849	goto ssetup_exit;
		850	#endif
656	}	851	}
657		852
658	iov[2].iov_base = str_area;	853	iov[2].iov_base = str_area;
@@ -668,12 +863,23 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
668	/* SMB request buf freed in SendReceive2 */	863	/* SMB request buf freed in SendReceive2 */
669		864
670	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));	865	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
671	if (rc)
672	goto ssetup_exit;
673		866
674	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;	867	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
675	smb_buf = (struct smb_hdr *)iov[0].iov_base;	868	smb_buf = (struct smb_hdr *)iov[0].iov_base;
676		869
		870	if ((type == RawNTLMSSP) && (smb_buf->Status.CifsError ==
		871	cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))) {
		872	if (phase != NtLmNegotiate) {
		873	cERROR(1, ("Unexpected more processing error"));
		874	goto ssetup_exit;
		875	}
		876	/* NTLMSSP Negotiate sent now processing challenge (response) */
		877	phase = NtLmChallenge; /* process ntlmssp challenge */
		878	rc = 0; /* MORE_PROC rc is not an error here, but expected */
		879	}
		880	if (rc)
		881	goto ssetup_exit;
		882
677	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {	883	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
678	rc = -EIO;	884	rc = -EIO;
679	cERROR(1, ("bad word count %d", smb_buf->WordCount));	885	cERROR(1, ("bad word count %d", smb_buf->WordCount));
@@ -692,22 +898,33 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
692	if (smb_buf->WordCount == 4) {	898	if (smb_buf->WordCount == 4) {
693	__u16 blob_len;	899	__u16 blob_len;
694	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);	900	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
695	bcc_ptr += blob_len;
696	if (blob_len > bytes_remaining) {	901	if (blob_len > bytes_remaining) {
697	cERROR(1, ("bad security blob length %d", blob_len));	902	cERROR(1, ("bad security blob length %d", blob_len));
698	rc = -EINVAL;	903	rc = -EINVAL;
699	goto ssetup_exit;	904	goto ssetup_exit;
700	}	905	}
		906	if (phase == NtLmChallenge) {
		907	rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
		908	/* now goto beginning for ntlmssp authenticate phase */
		909	if (rc)
		910	goto ssetup_exit;
		911	}
		912	bcc_ptr += blob_len;
701	bytes_remaining -= blob_len;	913	bytes_remaining -= blob_len;
702	}	914	}
703		915
704	/* BB check if Unicode and decode strings */	916	/* BB check if Unicode and decode strings */
705	if (smb_buf->Flags2 & SMBFLG2_UNICODE)	917	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
706	rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,	918	/* unicode string area must be word-aligned */
707	ses, nls_cp);	919	if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
708	else	920	++bcc_ptr;
		921	--bytes_remaining;
		922	}
		923	decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses, nls_cp);
		924	} else {
709	rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,	925	rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
710	ses, nls_cp);	926	ses, nls_cp);
		927	}
711		928
712	ssetup_exit:	929	ssetup_exit:
713	if (spnego_key) {	930	if (spnego_key) {
@@ -721,5 +938,9 @@ ssetup_exit:
721	} else if (resp_buf_type == CIFS_LARGE_BUFFER)	938	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
722	cifs_buf_release(iov[0].iov_base);	939	cifs_buf_release(iov[0].iov_base);
723		940
		941	/* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
		942	if ((phase == NtLmChallenge) && (rc == 0))
		943	goto ssetup_ntlmssp_authenticate;
		944
724	return rc;	945	return rc;
725	}	946	}