4 * SMB/CIFS session setup handling routines
6 * Copyright (c) International Business Machines Corp., 2006
7 * Author(s): Steve French (sfrench@us.ibm.com)
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 #include "cifsproto.h"
27 #include "cifs_unicode.h"
28 #include "cifs_debug.h"
31 #include <linux/utsname.h>
33 extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
36 static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
38 __u32 capabilities = 0;
40 /* init fields common to all four types of SessSetup */
41 /* note that header is initialized to zero in header_assemble */
42 pSMB->req.AndXCommand = 0xFF;
43 pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
44 pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
46 /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
48 /* BB verify whether signing required on neg or just on auth frame
51 capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
52 CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
54 if(ses->server->secMode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
55 pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
57 if (ses->capabilities & CAP_UNICODE) {
58 pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
59 capabilities |= CAP_UNICODE;
61 if (ses->capabilities & CAP_STATUS32) {
62 pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
63 capabilities |= CAP_STATUS32;
65 if (ses->capabilities & CAP_DFS) {
66 pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
67 capabilities |= CAP_DFS;
69 if (ses->capabilities & CAP_UNIX) {
70 capabilities |= CAP_UNIX;
73 /* BB check whether to init vcnum BB */
77 static void unicode_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
78 const struct nls_table * nls_cp)
80 char * bcc_ptr = *pbcc_area;
83 /* BB FIXME add check that strings total less
84 than 335 or will need to send them as arrays */
86 /* unicode strings, must be word aligned before the call */
87 /* if ((long) bcc_ptr % 2) {
92 if(ses->userName == NULL) {
96 } else { /* 300 should be long enough for any conceivable user name */
97 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
100 bcc_ptr += 2 * bytes_ret;
101 bcc_ptr += 2; /* account for null termination */
103 if(ses->domainName == NULL) {
104 /* Sending null domain better than using a bogus domain name (as
105 we did briefly in 2.6.18) since server will use its default */
110 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
112 bcc_ptr += 2 * bytes_ret;
113 bcc_ptr += 2; /* account for null terminator */
115 /* Copy OS version */
116 bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
118 bcc_ptr += 2 * bytes_ret;
119 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, system_utsname.release,
121 bcc_ptr += 2 * bytes_ret;
122 bcc_ptr += 2; /* trailing null */
124 bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
126 bcc_ptr += 2 * bytes_ret;
127 bcc_ptr += 2; /* trailing null */
129 *pbcc_area = bcc_ptr;
132 static void ascii_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
133 const struct nls_table * nls_cp)
135 char * bcc_ptr = *pbcc_area;
138 /* BB what about null user mounts - check that we do this BB */
140 if(ses->userName == NULL) {
141 /* BB what about null user mounts - check that we do this BB */
142 } else { /* 300 should be long enough for any conceivable user name */
143 strncpy(bcc_ptr, ses->userName, 300);
145 /* BB improve check for overflow */
146 bcc_ptr += strnlen(ses->userName, 300);
148 bcc_ptr++; /* account for null termination */
152 if(ses->domainName != NULL) {
153 strncpy(bcc_ptr, ses->domainName, 256);
154 bcc_ptr += strnlen(ses->domainName, 256);
155 } /* else we will send a null domain name
156 so the server will default to its own domain */
160 /* BB check for overflow here */
162 strcpy(bcc_ptr, "Linux version ");
163 bcc_ptr += strlen("Linux version ");
164 strcpy(bcc_ptr, system_utsname.release);
165 bcc_ptr += strlen(system_utsname.release) + 1;
167 strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
168 bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
170 *pbcc_area = bcc_ptr;
173 static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
174 const struct nls_table * nls_cp)
178 char * data = *pbcc_area;
182 cFYI(1,("bleft %d",bleft));
185 /* word align, if bytes remaining is not even */
190 words_left = bleft / 2;
192 /* save off server operating system */
193 len = UniStrnlen((wchar_t *) data, words_left);
195 /* We look for obvious messed up bcc or strings in response so we do not go off
196 the end since (at least) WIN2K and Windows XP have a major bug in not null
197 terminating last Unicode string in response */
198 if(len >= words_left)
202 kfree(ses->serverOS);
203 /* UTF-8 string will not grow more than four times as big as UCS-16 */
204 ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
205 if(ses->serverOS != NULL) {
206 cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
209 data += 2 * (len + 1);
210 words_left -= len + 1;
212 /* save off server network operating system */
213 len = UniStrnlen((wchar_t *) data, words_left);
215 if(len >= words_left)
219 kfree(ses->serverNOS);
220 ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
221 if(ses->serverNOS != NULL) {
222 cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
224 if(strncmp(ses->serverNOS, "NT LAN Manager 4",16) == 0) {
225 cFYI(1,("NT4 server"));
226 ses->flags |= CIFS_SES_NT4;
229 data += 2 * (len + 1);
230 words_left -= len + 1;
232 /* save off server domain */
233 len = UniStrnlen((wchar_t *) data, words_left);
238 if(ses->serverDomain)
239 kfree(ses->serverDomain);
240 ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
241 if(ses->serverDomain != NULL) {
242 cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
244 ses->serverDomain[2*len] = 0;
245 ses->serverDomain[(2*len) + 1] = 0;
247 data += 2 * (len + 1);
248 words_left -= len + 1;
250 cFYI(1,("words left: %d",words_left));
255 static int decode_ascii_ssetup(char ** pbcc_area, int bleft, struct cifsSesInfo *ses,
256 const struct nls_table * nls_cp)
260 char * bcc_ptr = *pbcc_area;
262 cFYI(1,("decode sessetup ascii. bleft %d", bleft));
264 len = strnlen(bcc_ptr, bleft);
269 kfree(ses->serverOS);
271 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
273 strncpy(ses->serverOS, bcc_ptr, len);
278 len = strnlen(bcc_ptr, bleft);
283 kfree(ses->serverNOS);
285 ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
287 strncpy(ses->serverNOS, bcc_ptr, len);
292 len = strnlen(bcc_ptr, bleft);
296 if(ses->serverDomain)
297 kfree(ses->serverDomain);
299 ses->serverDomain = kzalloc(len + 1, GFP_KERNEL);
301 strncpy(ses->serverOS, bcc_ptr, len);
306 cFYI(1,("ascii: bytes left %d",bleft));
312 CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
313 const struct nls_table *nls_cp)
317 struct smb_hdr *smb_buf;
320 SESSION_SETUP_ANDX *pSMB;
323 int resp_buf_type = 0;
325 enum securityEnum type;
332 type = ses->server->secType;
334 cFYI(1,("sess setup type %d",type));
336 #ifndef CONFIG_CIFS_WEAK_PW_HASH
337 /* LANMAN and plaintext are less secure and off by default.
338 So we make this explicitly be turned on in kconfig (in the
339 build) and turned on at runtime (changed from the default)
340 in proc/fs/cifs or via mount parm. Unfortunately this is
341 needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
344 wct = 10; /* lanman 2 style sessionsetup */
345 } else if((type == NTLM) || (type == NTLMv2)) {
346 /* For NTLMv2 failures eventually may need to retry NTLM */
347 wct = 13; /* old style NTLM sessionsetup */
348 } else /* same size for negotiate or auth, NTLMSSP or extended security */
351 rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
356 pSMB = (SESSION_SETUP_ANDX *)smb_buf;
358 capabilities = cifs_ssetup_hdr(ses, pSMB);
360 /* we will send the SMB in two pieces,
361 a fixed length beginning part, and a
362 second part which will include the strings
363 and rest of bcc area, in order to avoid having
364 to do a large buffer 17K allocation */
365 iov[0].iov_base = (char *)pSMB;
366 iov[0].iov_len = smb_buf->smb_buf_length + 4;
368 /* 2000 big enough to fit max user, domain, NOS name etc. */
369 str_area = kmalloc(2000, GFP_KERNEL);
373 #ifdef CONFIG_CIFS_WEAK_PW_HASH
374 char lnm_session_key[CIFS_SESS_KEY_SIZE];
376 /* no capabilities flags in old lanman negotiation */
378 pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
379 /* BB calculate hash with password */
380 /* and copy into bcc */
382 calc_lanman_hash(ses, lnm_session_key);
384 /* #ifdef CONFIG_CIFS_DEBUG2
385 cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
388 memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
389 bcc_ptr += CIFS_SESS_KEY_SIZE;
391 /* can not sign if LANMAN negotiated so no need
392 to calculate signing key? but what if server
393 changed to do higher than lanman dialect and
394 we reconnected would we ever calc signing_key? */
396 cFYI(1,("Negotiating LANMAN setting up strings"));
397 /* Unicode not allowed for LANMAN dialects */
398 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
400 } else if (type == NTLM) {
401 char ntlm_session_key[CIFS_SESS_KEY_SIZE];
403 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
404 pSMB->req_no_secext.CaseInsensitivePasswordLength =
405 cpu_to_le16(CIFS_SESS_KEY_SIZE);
406 pSMB->req_no_secext.CaseSensitivePasswordLength =
407 cpu_to_le16(CIFS_SESS_KEY_SIZE);
409 /* calculate session key */
410 SMBNTencrypt(ses->password, ses->server->cryptKey,
413 if(first_time) /* should this be moved into common code
414 with similar ntlmv2 path? */
415 cifs_calculate_mac_key(ses->server->mac_signing_key,
416 ntlm_session_key, ses->password);
417 /* copy session key */
419 memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
420 bcc_ptr += CIFS_SESS_KEY_SIZE;
421 memcpy(bcc_ptr, (char *)ntlm_session_key,CIFS_SESS_KEY_SIZE);
422 bcc_ptr += CIFS_SESS_KEY_SIZE;
423 if(ses->capabilities & CAP_UNICODE) {
424 /* unicode strings must be word aligned */
425 if (iov[0].iov_len % 2) {
429 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
431 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
432 } else if (type == NTLMv2) {
434 kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
436 /* BB FIXME change all users of v2_sess_key to
437 struct ntlmv2_resp */
439 if(v2_sess_key == NULL) {
440 cifs_small_buf_release(smb_buf);
444 pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
446 /* LM2 password would be here if we supported it */
447 pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
448 /* cpu_to_le16(LM2_SESS_KEY_SIZE); */
450 pSMB->req_no_secext.CaseSensitivePasswordLength =
451 cpu_to_le16(sizeof(struct ntlmv2_resp));
453 /* calculate session key */
454 setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
455 if(first_time) /* should this be moved into common code
456 with similar ntlmv2 path? */
457 /* cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
458 response BB FIXME, v2_sess_key); */
460 /* copy session key */
462 /* memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
463 bcc_ptr += LM2_SESS_KEY_SIZE; */
464 memcpy(bcc_ptr, (char *)v2_sess_key, sizeof(struct ntlmv2_resp));
465 bcc_ptr += sizeof(struct ntlmv2_resp);
467 if(ses->capabilities & CAP_UNICODE) {
468 if(iov[0].iov_len % 2) {
471 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
473 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
474 } else /* NTLMSSP or SPNEGO */ {
475 pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
476 capabilities |= CAP_EXTENDED_SECURITY;
477 pSMB->req.Capabilities = cpu_to_le32(capabilities);
478 /* BB set password lengths */
481 count = (long) bcc_ptr - (long) str_area;
482 smb_buf->smb_buf_length += count;
484 BCC_LE(smb_buf) = cpu_to_le16(count);
486 iov[1].iov_base = str_area;
487 iov[1].iov_len = count;
488 rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
489 /* SMB request buf freed in SendReceive2 */
491 cFYI(1,("ssetup rc from sendrecv2 is %d",rc));
495 pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
496 smb_buf = (struct smb_hdr *)iov[0].iov_base;
498 if((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
500 cERROR(1,("bad word count %d", smb_buf->WordCount));
503 action = le16_to_cpu(pSMB->resp.Action);
504 if (action & GUEST_LOGIN)
505 cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
506 ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
507 cFYI(1, ("UID = %d ", ses->Suid));
508 /* response can have either 3 or 4 word count - Samba sends 3 */
509 /* and lanman response is 3 */
510 bytes_remaining = BCC(smb_buf);
511 bcc_ptr = pByteArea(smb_buf);
513 if(smb_buf->WordCount == 4) {
515 blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
517 if(blob_len > bytes_remaining) {
518 cERROR(1,("bad security blob length %d", blob_len));
522 bytes_remaining -= blob_len;
525 /* BB check if Unicode and decode strings */
526 if(smb_buf->Flags2 & SMBFLG2_UNICODE)
527 rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
530 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
534 if(resp_buf_type == CIFS_SMALL_BUFFER) {
535 cFYI(1,("ssetup freeing small buf %p", iov[0].iov_base));
536 cifs_small_buf_release(iov[0].iov_base);
537 } else if(resp_buf_type == CIFS_LARGE_BUFFER)
538 cifs_buf_release(iov[0].iov_base);