4 * SMB/CIFS session setup handling routines
6 * Copyright (c) International Business Machines Corp., 2006
7 * Author(s): Steve French (sfrench@us.ibm.com)
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 #include "cifsproto.h"
27 #include "cifs_unicode.h"
28 #include "cifs_debug.h"
31 #include <linux/utsname.h>
33 extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
36 static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
38 __u32 capabilities = 0;
40 /* init fields common to all four types of SessSetup */
41 /* note that header is initialized to zero in header_assemble */
42 pSMB->req.AndXCommand = 0xFF;
43 pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
44 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
46 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
48 /* BB verify whether signing required on neg or just on auth frame
51 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
52 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
54 if(ses->server->secMode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
55 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
57 if (ses->capabilities & CAP_UNICODE) {
58 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
59 capabilities |= CAP_UNICODE;
61 if (ses->capabilities & CAP_STATUS32) {
62 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
63 capabilities |= CAP_STATUS32;
65 if (ses->capabilities & CAP_DFS) {
66 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
67 capabilities |= CAP_DFS;
69 if (ses->capabilities & CAP_UNIX) {
70 capabilities |= CAP_UNIX;
73 /* BB check whether to init vcnum BB */
77 static void unicode_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
78 const struct nls_table * nls_cp)
80 char * bcc_ptr = *pbcc_area;
83 /* BB FIXME add check that strings total less
84 than 335 or will need to send them as arrays */
86 /* unicode strings, must be word aligned before the call */
87 /* if ((long) bcc_ptr % 2) {
92 if(ses->userName == NULL) {
96 } else { /* 300 should be long enough for any conceivable user name */
97 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
100 bcc_ptr += 2 * bytes_ret;
101 bcc_ptr += 2; /* account for null termination */
103 if(ses->domainName == NULL) {
104 /* Sending null domain better than using a bogus domain name (as
105 we did briefly in 2.6.18) since server will use its default */
110 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
112 bcc_ptr += 2 * bytes_ret;
113 bcc_ptr += 2; /* account for null terminator */
115 /* Copy OS version */
116 bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
118 bcc_ptr += 2 * bytes_ret;
119 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
121 bcc_ptr += 2 * bytes_ret;
122 bcc_ptr += 2; /* trailing null */
124 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
126 bcc_ptr += 2 * bytes_ret;
127 bcc_ptr += 2; /* trailing null */
129 *pbcc_area = bcc_ptr;
132 static void ascii_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
133 const struct nls_table * nls_cp)
135 char * bcc_ptr = *pbcc_area;
138 /* BB what about null user mounts - check that we do this BB */
140 if(ses->userName == NULL) {
141 /* BB what about null user mounts - check that we do this BB */
142 } else { /* 300 should be long enough for any conceivable user name */
143 strncpy(bcc_ptr, ses->userName, 300);
145 /* BB improve check for overflow */
146 bcc_ptr += strnlen(ses->userName, 300);
148 bcc_ptr++; /* account for null termination */
152 if(ses->domainName != NULL) {
153 strncpy(bcc_ptr, ses->domainName, 256);
154 bcc_ptr += strnlen(ses->domainName, 256);
155 } /* else we will send a null domain name
156 so the server will default to its own domain */
160 /* BB check for overflow here */
162 strcpy(bcc_ptr, "Linux version ");
163 bcc_ptr += strlen("Linux version ");
164 strcpy(bcc_ptr, init_utsname()->release);
165 bcc_ptr += strlen(init_utsname()->release) + 1;
167 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
168 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
170 *pbcc_area = bcc_ptr;
173 static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
174 const struct nls_table * nls_cp)
178 char * data = *pbcc_area;
182 cFYI(1,("bleft %d",bleft));
185 /* word align, if bytes remaining is not even */
190 words_left = bleft / 2;
192 /* save off server operating system */
193 len = UniStrnlen((wchar_t *) data, words_left);
195 /* We look for obvious messed up bcc or strings in response so we do not go off
196 the end since (at least) WIN2K and Windows XP have a major bug in not null
197 terminating last Unicode string in response */
198 if(len >= words_left)
202 kfree(ses->serverOS);
203 /* UTF-8 string will not grow more than four times as big as UCS-16 */
204 ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
205 if(ses->serverOS != NULL) {
206 cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
209 data += 2 * (len + 1);
210 words_left -= len + 1;
212 /* save off server network operating system */
213 len = UniStrnlen((wchar_t *) data, words_left);
215 if(len >= words_left)
219 kfree(ses->serverNOS);
220 ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
221 if(ses->serverNOS != NULL) {
222 cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
224 if(strncmp(ses->serverNOS, "NT LAN Manager 4",16) == 0) {
225 cFYI(1,("NT4 server"));
226 ses->flags |= CIFS_SES_NT4;
229 data += 2 * (len + 1);
230 words_left -= len + 1;
232 /* save off server domain */
233 len = UniStrnlen((wchar_t *) data, words_left);
238 if(ses->serverDomain)
239 kfree(ses->serverDomain);
240 ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
241 if(ses->serverDomain != NULL) {
242 cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
244 ses->serverDomain[2*len] = 0;
245 ses->serverDomain[(2*len) + 1] = 0;
247 data += 2 * (len + 1);
248 words_left -= len + 1;
250 cFYI(1,("words left: %d",words_left));
255 static int decode_ascii_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
256 const struct nls_table * nls_cp)
260 char * bcc_ptr = *pbcc_area;
262 cFYI(1,("decode sessetup ascii. bleft %d", bleft));
264 len = strnlen(bcc_ptr, bleft);
269 kfree(ses->serverOS);
271 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
273 strncpy(ses->serverOS, bcc_ptr, len);
274 if(strncmp(ses->serverOS, "OS/2",4) == 0) {
275 cFYI(1,("OS/2 server"));
276 ses->flags |= CIFS_SES_OS2;
282 len = strnlen(bcc_ptr, bleft);
287 kfree(ses->serverNOS);
289 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
291 strncpy(ses->serverNOS, bcc_ptr, len);
296 len = strnlen(bcc_ptr, bleft);
300 /* No domain field in LANMAN case. Domain is
301 returned by old servers in the SMB negprot response */
302 /* BB For newer servers which do not support Unicode,
303 but thus do return domain here we could add parsing
304 for it later, but it is not very important */
305 cFYI(1,("ascii: bytes left %d",bleft));
311 CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
312 const struct nls_table *nls_cp)
316 struct smb_hdr *smb_buf;
319 SESSION_SETUP_ANDX *pSMB;
322 int resp_buf_type = 0;
324 enum securityEnum type;
331 type = ses->server->secType;
333 cFYI(1,("sess setup type %d",type));
335 #ifndef CONFIG_CIFS_WEAK_PW_HASH
336 /* LANMAN and plaintext are less secure and off by default.
337 So we make this explicitly be turned on in kconfig (in the
338 build) and turned on at runtime (changed from the default)
339 in proc/fs/cifs or via mount parm. Unfortunately this is
340 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
343 wct = 10; /* lanman 2 style sessionsetup */
344 } else if((type == NTLM) || (type == NTLMv2)) {
345 /* For NTLMv2 failures eventually may need to retry NTLM */
346 wct = 13; /* old style NTLM sessionsetup */
347 } else /* same size for negotiate or auth, NTLMSSP or extended security */
350 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
355 pSMB = (SESSION_SETUP_ANDX *)smb_buf;
357 capabilities = cifs_ssetup_hdr(ses, pSMB);
359 /* we will send the SMB in two pieces,
360 a fixed length beginning part, and a
361 second part which will include the strings
362 and rest of bcc area, in order to avoid having
363 to do a large buffer 17K allocation */
364 iov[0].iov_base = (char *)pSMB;
365 iov[0].iov_len = smb_buf->smb_buf_length + 4;
367 /* 2000 big enough to fit max user, domain, NOS name etc. */
368 str_area = kmalloc(2000, GFP_KERNEL);
371 ses->flags &= ~CIFS_SES_LANMAN;
374 #ifdef CONFIG_CIFS_WEAK_PW_HASH
375 char lnm_session_key[CIFS_SESS_KEY_SIZE];
377 /* no capabilities flags in old lanman negotiation */
379 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
380 /* BB calculate hash with password */
381 /* and copy into bcc */
383 calc_lanman_hash(ses, lnm_session_key);
384 ses->flags |= CIFS_SES_LANMAN;
385 /* #ifdef CONFIG_CIFS_DEBUG2
386 cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
389 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
390 bcc_ptr += CIFS_SESS_KEY_SIZE;
392 /* can not sign if LANMAN negotiated so no need
393 to calculate signing key? but what if server
394 changed to do higher than lanman dialect and
395 we reconnected would we ever calc signing_key? */
397 cFYI(1,("Negotiating LANMAN setting up strings"));
398 /* Unicode not allowed for LANMAN dialects */
399 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
401 } else if (type == NTLM) {
402 char ntlm_session_key[CIFS_SESS_KEY_SIZE];
404 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
405 pSMB->req_no_secext.CaseInsensitivePasswordLength =
406 cpu_to_le16(CIFS_SESS_KEY_SIZE);
407 pSMB->req_no_secext.CaseSensitivePasswordLength =
408 cpu_to_le16(CIFS_SESS_KEY_SIZE);
410 /* calculate session key */
411 SMBNTencrypt(ses->password, ses->server->cryptKey,
414 if(first_time) /* should this be moved into common code
415 with similar ntlmv2 path? */
416 cifs_calculate_mac_key(ses->server->mac_signing_key,
417 ntlm_session_key, ses->password);
418 /* copy session key */
420 memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
421 bcc_ptr += CIFS_SESS_KEY_SIZE;
422 memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
423 bcc_ptr += CIFS_SESS_KEY_SIZE;
424 if(ses->capabilities & CAP_UNICODE) {
425 /* unicode strings must be word aligned */
426 if (iov[0].iov_len % 2) {
430 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
432 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
433 } else if (type == NTLMv2) {
435 kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
437 /* BB FIXME change all users of v2_sess_key to
438 struct ntlmv2_resp */
440 if(v2_sess_key == NULL) {
441 cifs_small_buf_release(smb_buf);
445 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
447 /* LM2 password would be here if we supported it */
448 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
449 /* cpu_to_le16(LM2_SESS_KEY_SIZE); */
451 pSMB->req_no_secext.CaseSensitivePasswordLength =
452 cpu_to_le16(sizeof(struct ntlmv2_resp));
454 /* calculate session key */
455 setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
456 if(first_time) /* should this be moved into common code
457 with similar ntlmv2 path? */
458 /* cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
459 response BB FIXME, v2_sess_key); */
461 /* copy session key */
463 /* memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
464 bcc_ptr += LM2_SESS_KEY_SIZE; */
465 memcpy(bcc_ptr, (char *)v2_sess_key, sizeof(struct ntlmv2_resp));
466 bcc_ptr += sizeof(struct ntlmv2_resp);
468 if(ses->capabilities & CAP_UNICODE) {
469 if(iov[0].iov_len % 2) {
472 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
474 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
475 } else /* NTLMSSP or SPNEGO */ {
476 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
477 capabilities |= CAP_EXTENDED_SECURITY;
478 pSMB->req.Capabilities = cpu_to_le32(capabilities);
479 /* BB set password lengths */
482 count = (long) bcc_ptr - (long) str_area;
483 smb_buf->smb_buf_length += count;
485 BCC_LE(smb_buf) = cpu_to_le16(count);
487 iov[1].iov_base = str_area;
488 iov[1].iov_len = count;
489 rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
490 /* SMB request buf freed in SendReceive2 */
492 cFYI(1,("ssetup rc from sendrecv2 is %d",rc));
496 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
497 smb_buf = (struct smb_hdr *)iov[0].iov_base;
499 if((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
501 cERROR(1,("bad word count %d", smb_buf->WordCount));
504 action = le16_to_cpu(pSMB->resp.Action);
505 if (action & GUEST_LOGIN)
506 cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
507 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
508 cFYI(1, ("UID = %d ", ses->Suid));
509 /* response can have either 3 or 4 word count - Samba sends 3 */
510 /* and lanman response is 3 */
511 bytes_remaining = BCC(smb_buf);
512 bcc_ptr = pByteArea(smb_buf);
514 if(smb_buf->WordCount == 4) {
516 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
518 if(blob_len > bytes_remaining) {
519 cERROR(1,("bad security blob length %d", blob_len));
523 bytes_remaining -= blob_len;
526 /* BB check if Unicode and decode strings */
527 if(smb_buf->Flags2 & SMBFLG2_UNICODE)
528 rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
531 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
535 if(resp_buf_type == CIFS_SMALL_BUFFER) {
536 cFYI(1,("ssetup freeing small buf %p", iov[0].iov_base));
537 cifs_small_buf_release(iov[0].iov_base);
538 } else if(resp_buf_type == CIFS_LARGE_BUFFER)
539 cifs_buf_release(iov[0].iov_base);