sess.c source code [linux/fs/smb/client/sess.c]

1	// SPDX-License-Identifier: LGPL-2.1
2	/*
3	*
4	* SMB/CIFS session setup handling routines
5	*
6	* Copyright (c) International Business Machines Corp., 2006, 2009
7	* Author(s): Steve French (sfrench@us.ibm.com)
8	*
9	*/
10
11	#include "cifspdu.h"
12	#include "cifsglob.h"
13	#include "cifsproto.h"
14	#include "cifs_unicode.h"
15	#include "cifs_debug.h"
16	#include "ntlmssp.h"
17	#include "nterr.h"
18	#include <linux/utsname.h>
19	#include <linux/slab.h>
20	#include <linux/version.h>
21	#include "cifsfs.h"
22	#include "cifs_spnego.h"
23	#include "smb2proto.h"
24	#include "fs_context.h"
25
26	static int
27	cifs_ses_add_channel(struct cifs_ses *ses,
28	struct cifs_server_iface *iface);
29
30	bool is_ses_using_iface(struct cifs_ses ses, struct* cifs_server_iface *iface)
31	{
32	int i;
33
34	spin_lock(lock: &ses->chan_lock);
35	for (i = `0`; i < ses->chan_count; i++) {
36	if (ses->chans[i].iface == iface) {
37	spin_unlock(lock: &ses->chan_lock);
38	return true;
39	}
40	}
41	spin_unlock(lock: &ses->chan_lock);
42	return false;
43	}
44
45	/ channel helper functions. assumed that chan_lock is held by caller. /
46
47	int
48	cifs_ses_get_chan_index(struct cifs_ses *ses,
49	struct TCP_Server_Info *server)
50	{
51	unsigned int i;
52
53	/ if the channel is waiting for termination /
54	if (server && server->terminate)
55	return CIFS_INVAL_CHAN_INDEX;
56
57	for (i = `0`; i < ses->chan_count; i++) {
58	if (ses->chans[i].server == server)
59	return i;
60	}
61
62	/ If we didn't find the channel, it is likely a bug /
63	if (server)
64	cifs_dbg(VFS, "unable to get chan index for server: 0x%llx",
65	server->conn_id);
66	return CIFS_INVAL_CHAN_INDEX;
67	}
68
69	void
70	cifs_chan_set_in_reconnect(struct cifs_ses *ses,
71	struct TCP_Server_Info *server)
72	{
73	int chan_index = cifs_ses_get_chan_index(ses, server);
74
75	if (chan_index == CIFS_INVAL_CHAN_INDEX)
76	return;
77
78	ses->chans[chan_index].in_reconnect = true;
79	}
80
81	void
82	cifs_chan_clear_in_reconnect(struct cifs_ses *ses,
83	struct TCP_Server_Info *server)
84	{
85	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
86
87	if (chan_index == CIFS_INVAL_CHAN_INDEX)
88	return;
89
90	ses->chans[chan_index].in_reconnect = false;
91	}
92
93	void
94	cifs_chan_set_need_reconnect(struct cifs_ses *ses,
95	struct TCP_Server_Info *server)
96	{
97	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
98
99	if (chan_index == CIFS_INVAL_CHAN_INDEX)
100	return;
101
102	set_bit(nr: chan_index, addr: &ses->chans_need_reconnect);
103	cifs_dbg(FYI, "Set reconnect bitmask for chan %u; now 0x%lx\n",
104	chan_index, ses->chans_need_reconnect);
105	}
106
107	void
108	cifs_chan_clear_need_reconnect(struct cifs_ses *ses,
109	struct TCP_Server_Info *server)
110	{
111	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
112
113	if (chan_index == CIFS_INVAL_CHAN_INDEX)
114	return;
115
116	clear_bit(nr: chan_index, addr: &ses->chans_need_reconnect);
117	cifs_dbg(FYI, "Cleared reconnect bitmask for chan %u; now 0x%lx\n",
118	chan_index, ses->chans_need_reconnect);
119	}
120
121	bool
122	cifs_chan_needs_reconnect(struct cifs_ses *ses,
123	struct TCP_Server_Info *server)
124	{
125	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
126
127	if (chan_index == CIFS_INVAL_CHAN_INDEX)
128	return true; / err on the safer side /
129
130	return CIFS_CHAN_NEEDS_RECONNECT(ses, chan_index);
131	}
132
133	bool
134	cifs_chan_is_iface_active(struct cifs_ses *ses,
135	struct TCP_Server_Info *server)
136	{
137	unsigned int chan_index = cifs_ses_get_chan_index(ses, server);
138
139	if (chan_index == CIFS_INVAL_CHAN_INDEX)
140	return true; / err on the safer side /
141
142	return ses->chans[chan_index].iface &&
143	ses->chans[chan_index].iface->is_active;
144	}
145
146	/ returns number of channels added /
147	int cifs_try_adding_channels(struct cifs_ses *ses)
148	{
149	struct TCP_Server_Info *server = ses->server;
150	int old_chan_count, new_chan_count;
151	int left;
152	int rc = `0`;
153	int tries = `0`;
154	size_t iface_weight = `0`, iface_min_speed = `0`;
155	struct cifs_server_iface iface = NULL, niface = NULL;
156	struct cifs_server_iface *last_iface = NULL;
157
158	spin_lock(lock: &ses->chan_lock);
159
160	new_chan_count = old_chan_count = ses->chan_count;
161	left = ses->chan_max - ses->chan_count;
162
163	if (left <= `0`) {
164	spin_unlock(lock: &ses->chan_lock);
165	cifs_dbg(FYI,
166	"ses already at max_channels (%zu), nothing to open\n",
167	ses->chan_max);
168	return `0`;
169	}
170
171	if (server->dialect < SMB30_PROT_ID) {
172	spin_unlock(lock: &ses->chan_lock);
173	cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n");
174	return `0`;
175	}
176
177	if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
178	spin_unlock(lock: &ses->chan_lock);
179	cifs_server_dbg(VFS, "no multichannel support\n");
180	return `0`;
181	}
182	spin_unlock(lock: &ses->chan_lock);
183
184	while (left > `0`) {
185
186	tries++;
187	if (tries > `3`*ses->chan_max) {
188	cifs_dbg(VFS, "too many channel open attempts (%d channels left to open)\n",
189	left);
190	break;
191	}
192
193	spin_lock(lock: &ses->iface_lock);
194	if (!ses->iface_count) {
195	spin_unlock(lock: &ses->iface_lock);
196	cifs_dbg(ONCE, "server %s does not advertise interfaces\n",
197	ses->server->hostname);
198	break;
199	}
200
201	if (!iface)
202	iface = list_first_entry(&ses->iface_list, struct cifs_server_iface,
203	iface_head);
204	last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
205	iface_head);
206	iface_min_speed = last_iface->speed;
207
208	list_for_each_entry_safe_from(iface, niface, &ses->iface_list,
209	iface_head) {
210	/ do not mix rdma and non-rdma interfaces /
211	if (iface->rdma_capable != ses->server->rdma)
212	continue;
213
214	/ skip ifaces that are unusable /
215	if (!iface->is_active \|\|
216	(is_ses_using_iface(ses, iface) &&
217	!iface->rss_capable))
218	continue;
219
220	/ check if we already allocated enough channels /
221	iface_weight = iface->speed / iface_min_speed;
222
223	if (iface->weight_fulfilled >= iface_weight)
224	continue;
225
226	/ take ref before unlock /
227	kref_get(kref: &iface->refcount);
228
229	spin_unlock(lock: &ses->iface_lock);
230	rc = cifs_ses_add_channel(ses, iface);
231	spin_lock(lock: &ses->iface_lock);
232
233	if (rc) {
234	cifs_dbg(VFS, "failed to open extra channel on iface:%pIS rc=%d\n",
235	&iface->sockaddr,
236	rc);
237	kref_put(kref: &iface->refcount, release: release_iface);
238	/ failure to add chan should increase weight /
239	iface->weight_fulfilled++;
240	continue;
241	}
242
243	iface->num_channels++;
244	iface->weight_fulfilled++;
245	cifs_info("successfully opened new channel on iface:%pIS\n",
246	&iface->sockaddr);
247	break;
248	}
249
250	/ reached end of list. reset weight_fulfilled and start over /
251	if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
252	list_for_each_entry(iface, &ses->iface_list, iface_head)
253	iface->weight_fulfilled = `0`;
254	spin_unlock(lock: &ses->iface_lock);
255	iface = NULL;
256	continue;
257	}
258	spin_unlock(lock: &ses->iface_lock);
259
260	left--;
261	new_chan_count++;
262	}
263
264	return new_chan_count - old_chan_count;
265	}
266
267	/*
268	* cifs_decrease_secondary_channels - Reduce the number of active secondary channels
269	* @ses: pointer to the CIFS session structure
270	* @disable_mchan: if true, reduce to a single channel; if false, reduce to chan_max
271	*
272	* This function disables and cleans up extra secondary channels for a CIFS session.
273	* If called during reconfiguration, it reduces the channel count to the new maximum (chan_max).
274	* Otherwise, it disables all but the primary channel.
275	*/
276	void
277	cifs_decrease_secondary_channels(struct cifs_ses *ses, bool disable_mchan)
278	{
279	int i, chan_count;
280	struct TCP_Server_Info *server;
281	struct cifs_server_iface *iface;
282
283	spin_lock(lock: &ses->chan_lock);
284	chan_count = ses->chan_count;
285	if (chan_count == `1`)
286	goto done;
287
288	/ Update the chan_count to the new maximum /
289	if (disable_mchan) {
290	cifs_dbg(FYI, "server does not support multichannel anymore.\n");
291	ses->chan_count = `1`;
292	} else {
293	ses->chan_count = ses->chan_max;
294	}
295
296	/ Disable all secondary channels beyond the new chan_count /
297	for (i = ses->chan_count ; i < chan_count; i++) {
298	iface = ses->chans[i].iface;
299	server = ses->chans[i].server;
300
301	/*
302	* remove these references first, since we need to unlock
303	* the chan_lock here, since iface_lock is a higher lock
304	*/
305	ses->chans[i].iface = NULL;
306	ses->chans[i].server = NULL;
307	spin_unlock(lock: &ses->chan_lock);
308
309	if (iface) {
310	spin_lock(lock: &ses->iface_lock);
311	iface->num_channels--;
312	if (iface->weight_fulfilled)
313	iface->weight_fulfilled--;
314	kref_put(kref: &iface->refcount, release: release_iface);
315	spin_unlock(lock: &ses->iface_lock);
316	}
317
318	if (server) {
319	if (!server->terminate) {
320	server->terminate = true;
321	cifs_signal_cifsd_for_reconnect(server, all_channels: false);
322	}
323	cifs_put_tcp_session(server, from_reconnect: false);
324	}
325
326	spin_lock(lock: &ses->chan_lock);
327	}
328
329	/ For extra secondary channels, reset the need reconnect bit /
330	if (ses->chan_count == `1`) {
331	cifs_dbg(VFS, "Disable all secondary channels\n");
332	ses->chans_need_reconnect &= `1`;
333	} else {
334	cifs_dbg(VFS, "Disable extra secondary channels\n");
335	ses->chans_need_reconnect &= ((`1UL` << ses->chan_max) - `1`);
336	}
337
338	done:
339	spin_unlock(lock: &ses->chan_lock);
340	}
341
342	/ update the iface for the channel if necessary. /
343	void
344	cifs_chan_update_iface(struct cifs_ses ses, struct* TCP_Server_Info *server)
345	{
346	unsigned int chan_index;
347	size_t iface_weight = `0`, iface_min_speed = `0`;
348	struct cifs_server_iface *iface = NULL;
349	struct cifs_server_iface *old_iface = NULL;
350	struct cifs_server_iface *last_iface = NULL;
351	struct sockaddr_storage ss;
352	int retry = `0`;
353
354	spin_lock(lock: &ses->chan_lock);
355	chan_index = cifs_ses_get_chan_index(ses, server);
356	if (chan_index == CIFS_INVAL_CHAN_INDEX) {
357	spin_unlock(lock: &ses->chan_lock);
358	return;
359	}
360
361	if (ses->chans[chan_index].iface) {
362	old_iface = ses->chans[chan_index].iface;
363	if (old_iface->is_active) {
364	spin_unlock(lock: &ses->chan_lock);
365	return;
366	}
367	}
368	spin_unlock(lock: &ses->chan_lock);
369
370	spin_lock(lock: &server->srv_lock);
371	ss = server->dstaddr;
372	spin_unlock(lock: &server->srv_lock);
373
374	spin_lock(lock: &ses->iface_lock);
375	if (!ses->iface_count) {
376	spin_unlock(lock: &ses->iface_lock);
377	cifs_dbg(ONCE, "server %s does not advertise interfaces\n", ses->server->hostname);
378	return;
379	}
380
381	try_again:
382	last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
383	iface_head);
384	iface_min_speed = last_iface->speed;
385
386	/ then look for a new one /
387	list_for_each_entry(iface, &ses->iface_list, iface_head) {
388	if (!chan_index) {
389	/ if we're trying to get the updated iface for primary channel /
390	if (!cifs_match_ipaddr(srcaddr: (struct sockaddr *) &ss,
391	rhs: (struct sockaddr *) &iface->sockaddr))
392	continue;
393
394	kref_get(kref: &iface->refcount);
395	break;
396	}
397
398	/ do not mix rdma and non-rdma interfaces /
399	if (iface->rdma_capable != server->rdma)
400	continue;
401
402	if (!iface->is_active \|\|
403	(is_ses_using_iface(ses, iface) &&
404	!iface->rss_capable)) {
405	continue;
406	}
407
408	/ check if we already allocated enough channels /
409	iface_weight = iface->speed / iface_min_speed;
410
411	if (iface->weight_fulfilled >= iface_weight)
412	continue;
413
414	kref_get(kref: &iface->refcount);
415	break;
416	}
417
418	if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
419	list_for_each_entry(iface, &ses->iface_list, iface_head)
420	iface->weight_fulfilled = `0`;
421
422	/ see if it can be satisfied in second attempt /
423	if (!retry++)
424	goto try_again;
425
426	iface = NULL;
427	cifs_dbg(FYI, "unable to find a suitable iface\n");
428	}
429
430	if (!iface) {
431	if (!chan_index)
432	cifs_dbg(FYI, "unable to get the interface matching: %pIS\n",
433	&ss);
434	else {
435	cifs_dbg(FYI, "unable to find another interface to replace: %pIS\n",
436	&old_iface->sockaddr);
437	}
438
439	spin_unlock(lock: &ses->iface_lock);
440	return;
441	}
442
443	/ now drop the ref to the current iface /
444	if (old_iface) {
445	cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
446	&old_iface->sockaddr,
447	&iface->sockaddr);
448
449	old_iface->num_channels--;
450	if (old_iface->weight_fulfilled)
451	old_iface->weight_fulfilled--;
452	iface->num_channels++;
453	iface->weight_fulfilled++;
454
455	kref_put(kref: &old_iface->refcount, release: release_iface);
456	} else if (!chan_index) {
457	/ special case: update interface for primary channel /
458	cifs_dbg(FYI, "referencing primary channel iface: %pIS\n",
459	&iface->sockaddr);
460	iface->num_channels++;
461	iface->weight_fulfilled++;
462	}
463	spin_unlock(lock: &ses->iface_lock);
464
465	spin_lock(lock: &ses->chan_lock);
466	chan_index = cifs_ses_get_chan_index(ses, server);
467	if (chan_index == CIFS_INVAL_CHAN_INDEX) {
468	spin_unlock(lock: &ses->chan_lock);
469	return;
470	}
471
472	ses->chans[chan_index].iface = iface;
473	spin_unlock(lock: &ses->chan_lock);
474
475	spin_lock(lock: &server->srv_lock);
476	memcpy(&server->dstaddr, &iface->sockaddr, sizeof(server->dstaddr));
477	spin_unlock(lock: &server->srv_lock);
478	}
479
480	static int
481	cifs_ses_add_channel(struct cifs_ses *ses,
482	struct cifs_server_iface *iface)
483	{
484	struct TCP_Server_Info *chan_server;
485	struct cifs_chan *chan;
486	struct smb3_fs_context *ctx;
487	static const char unc_fmt[] = "\\%s\\foo";
488	struct sockaddr_in ipv4 = (struct* sockaddr_in *)&iface->sockaddr;
489	struct sockaddr_in6 ipv6 = (struct* sockaddr_in6 *)&iface->sockaddr;
490	size_t len;
491	int rc;
492	unsigned int xid = get_xid();
493
494	if (iface->sockaddr.ss_family == AF_INET)
495	cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI4)\n",
496	ses, iface->speed, str_yes_no(iface->rdma_capable),
497	&ipv4->sin_addr);
498	else
499	cifs_dbg(FYI, "adding channel to ses %p (speed:%zu bps rdma:%s ip:%pI6)\n",
500	ses, iface->speed, str_yes_no(iface->rdma_capable),
501	&ipv6->sin6_addr);
502
503	/*
504	* Setup a ctx with mostly the same info as the existing
505	* session and overwrite it with the requested iface data.
506	*
507	* We need to setup at least the fields used for negprot and
508	* sesssetup.
509	*
510	* We only need the ctx here, so we can reuse memory from
511	* the session and server without caring about memory
512	* management.
513	*/
514	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
515	if (!ctx) {
516	rc = -ENOMEM;
517	goto out_free_xid;
518	}
519
520	/ Always make new connection for now (TODO?) /
521	ctx->nosharesock = true;
522
523	/ Auth /
524	ctx->domainauto = ses->domainAuto;
525	ctx->domainname = ses->domainName;
526
527	ctx->server_hostname = ses->server->hostname;
528
529	ctx->username = ses->user_name;
530	ctx->password = ses->password;
531	ctx->sectype = ses->sectype;
532	ctx->sign = ses->sign;
533	ctx->unicode = ses->unicode;
534
535	/ UNC and paths /
536	/ XXX: Use ses->server->hostname? /
537	len = sizeof(unc_fmt) + SERVER_NAME_LEN_WITH_NULL;
538	ctx->UNC = kzalloc(len, GFP_KERNEL);
539	if (!ctx->UNC) {
540	rc = -ENOMEM;
541	goto out_free_ctx;
542	}
543	scnprintf(buf: ctx->UNC, size: len, fmt: unc_fmt, ses->ip_addr);
544	ctx->prepath = "";
545
546	/ Reuse same version as master connection /
547	ctx->vals = ses->server->vals;
548	ctx->ops = ses->server->ops;
549
550	ctx->noblocksnd = ses->server->noblocksnd;
551	ctx->noautotune = ses->server->noautotune;
552	ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
553	ctx->echo_interval = ses->server->echo_interval / HZ;
554	ctx->max_credits = ses->server->max_credits;
555	ctx->min_offload = ses->server->min_offload;
556	ctx->compress = ses->server->compression.requested;
557	ctx->dfs_conn = ses->server->dfs_conn;
558	ctx->ignore_signature = ses->server->ignore_signature;
559	ctx->leaf_fullpath = ses->server->leaf_fullpath;
560	ctx->rootfs = ses->server->noblockcnt;
561	ctx->retrans = ses->server->retrans;
562
563	/*
564	* This will be used for encoding/decoding user/domain/pw
565	* during sess setup auth.
566	*/
567	ctx->local_nls = ses->local_nls;
568
569	/ Use RDMA if possible /
570	ctx->rdma = iface->rdma_capable;
571	memcpy(&ctx->dstaddr, &iface->sockaddr, sizeof(ctx->dstaddr));
572
573	/ reuse master con client guid /
574	memcpy(&ctx->client_guid, ses->server->client_guid,
575	sizeof(ctx->client_guid));
576	ctx->use_client_guid = true;
577
578	chan_server = cifs_get_tcp_session(ctx, primary_server: ses->server);
579
580	spin_lock(lock: &ses->chan_lock);
581	chan = &ses->chans[ses->chan_count];
582	chan->server = chan_server;
583	if (IS_ERR(ptr: chan->server)) {
584	rc = PTR_ERR(ptr: chan->server);
585	chan->server = NULL;
586	spin_unlock(lock: &ses->chan_lock);
587	goto out;
588	}
589	chan->iface = iface;
590	ses->chan_count++;
591	atomic_set(v: &ses->chan_seq, i: `0`);
592
593	/ Mark this channel as needing connect/setup /
594	cifs_chan_set_need_reconnect(ses, server: chan->server);
595
596	spin_unlock(lock: &ses->chan_lock);
597
598	mutex_lock(&ses->session_mutex);
599	/*
600	* We need to allocate the server crypto now as we will need
601	* to sign packets before we generate the channel signing key
602	* (we sign with the session key)
603	*/
604	rc = smb3_crypto_shash_allocate(server: chan->server);
605	if (rc) {
606	cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
607	mutex_unlock(lock: &ses->session_mutex);
608	goto out;
609	}
610
611	rc = cifs_negotiate_protocol(xid, ses, server: chan->server);
612	if (!rc)
613	rc = cifs_setup_session(xid, ses, server: chan->server, nls_info: ses->local_nls);
614
615	mutex_unlock(lock: &ses->session_mutex);
616
617	out:
618	if (rc && chan->server) {
619	cifs_put_tcp_session(server: chan->server, from_reconnect: `0`);
620
621	spin_lock(lock: &ses->chan_lock);
622
623	/ we rely on all bits beyond chan_count to be clear /
624	cifs_chan_clear_need_reconnect(ses, server: chan->server);
625	ses->chan_count--;
626	/*
627	* chan_count should never reach 0 as at least the primary
628	* channel is always allocated
629	*/
630	WARN_ON(ses->chan_count < `1`);
631	spin_unlock(lock: &ses->chan_lock);
632	}
633
634	kfree(objp: ctx->UNC);
635	out_free_ctx:
636	kfree(objp: ctx);
637	out_free_xid:
638	free_xid(xid);
639	return rc;
640	}
641
642	#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
643	static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
644	struct TCP_Server_Info *server,
645	SESSION_SETUP_ANDX *pSMB)
646	{
647	__u32 capabilities = `0`;
648
649	/ init fields common to all four types of SessSetup /
650	/ Note that offsets for first seven fields in req struct are same /
651	/ in CIFS Specs so does not matter which of 3 forms of struct /
652	/ that we use in next few lines /
653	/ Note that header is initialized to zero in header_assemble /
654	pSMB->req.AndXCommand = `0xFF`;
655	pSMB->req.MaxBufferSize = cpu_to_le16(min_t(u32,
656	CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - `4`,
657	USHRT_MAX));
658	pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);
659	pSMB->req.VcNumber = cpu_to_le16(`1`);
660	pSMB->req.SessionKey = server->session_key_id;
661
662	/ Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH /
663
664	/ BB verify whether signing required on neg or just auth frame (and NTLM case) /
665
666	capabilities = CAP_LARGE_FILES \| CAP_NT_SMBS \| CAP_LEVEL_II_OPLOCKS \|
667	CAP_LARGE_WRITE_X \| CAP_LARGE_READ_X;
668
669	if (server->sign)
670	pSMB->req.hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
671
672	if (ses->capabilities & CAP_UNICODE) {
673	pSMB->req.hdr.Flags2 \|= SMBFLG2_UNICODE;
674	capabilities \|= CAP_UNICODE;
675	}
676	if (ses->capabilities & CAP_STATUS32) {
677	pSMB->req.hdr.Flags2 \|= SMBFLG2_ERR_STATUS;
678	capabilities \|= CAP_STATUS32;
679	}
680	if (ses->capabilities & CAP_DFS) {
681	pSMB->req.hdr.Flags2 \|= SMBFLG2_DFS;
682	capabilities \|= CAP_DFS;
683	}
684	if (ses->capabilities & CAP_UNIX)
685	capabilities \|= CAP_UNIX;
686
687	return capabilities;
688	}
689
690	static void
691	unicode_oslm_strings(char *pbcc_area, const* struct nls_table *nls_cp)
692	{
693	char bcc_ptr = pbcc_area;
694	int bytes_ret = `0`;
695
696	/ Copy OS version /
697	bytes_ret = cifs_strtoUTF16((__le16 *)bcc_ptr, "Linux version ", `32`,
698	nls_cp);
699	bcc_ptr += `2` * bytes_ret;
700	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, init_utsname()->release,
701	`32`, nls_cp);
702	bcc_ptr += `2` * bytes_ret;
703	bcc_ptr += `2`; / trailing null /
704
705	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
706	`32`, nls_cp);
707	bcc_ptr += `2` * bytes_ret;
708	bcc_ptr += `2`; / trailing null /
709
710	*pbcc_area = bcc_ptr;
711	}
712
713	static void
714	ascii_oslm_strings(char *pbcc_area, const* struct nls_table *nls_cp)
715	{
716	char bcc_ptr = pbcc_area;
717
718	strcpy(p: bcc_ptr, q: "Linux version ");
719	bcc_ptr += strlen("Linux version ");
720	strcpy(p: bcc_ptr, q: init_utsname()->release);
721	bcc_ptr += strlen(init_utsname()->release) + `1`;
722
723	strcpy(p: bcc_ptr, CIFS_NETWORK_OPSYS);
724	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + `1`;
725
726	*pbcc_area = bcc_ptr;
727	}
728
729	static void unicode_domain_string(char pbcc_area, struct** cifs_ses *ses,
730	const struct nls_table *nls_cp)
731	{
732	char bcc_ptr = pbcc_area;
733	int bytes_ret = `0`;
734
735	/ copy domain /
736	if (ses->domainName == NULL) {
737	/*
738	* Sending null domain better than using a bogus domain name (as
739	* we did briefly in 2.6.18) since server will use its default
740	*/
741	*bcc_ptr = `0`;
742	*(bcc_ptr+`1`) = `0`;
743	bytes_ret = `0`;
744	} else
745	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
746	CIFS_MAX_DOMAINNAME_LEN, nls_cp);
747	bcc_ptr += `2` * bytes_ret;
748	bcc_ptr += `2`; / account for null terminator /
749
750	*pbcc_area = bcc_ptr;
751	}
752
753	static void ascii_domain_string(char pbcc_area, struct** cifs_ses *ses,
754	const struct nls_table *nls_cp)
755	{
756	char bcc_ptr = pbcc_area;
757	int len;
758
759	/ copy domain /
760	if (ses->domainName != NULL) {
761	len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
762	if (WARN_ON_ONCE(len < `0`))
763	len = CIFS_MAX_DOMAINNAME_LEN - `1`;
764	bcc_ptr += len;
765	} / else we send a null domain name so server will default to its own domain /
766	*bcc_ptr = `0`;
767	bcc_ptr++;
768
769	*pbcc_area = bcc_ptr;
770	}
771
772	static void unicode_ssetup_strings(char pbcc_area, struct** cifs_ses *ses,
773	const struct nls_table *nls_cp)
774	{
775	char bcc_ptr = pbcc_area;
776	int bytes_ret = `0`;
777
778	/ BB FIXME add check that strings less than 335 or will need to send as arrays /
779
780	/ copy user /
781	if (ses->user_name == NULL) {
782	/ null user mount /
783	*bcc_ptr = `0`;
784	*(bcc_ptr+`1`) = `0`;
785	} else {
786	bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->user_name,
787	CIFS_MAX_USERNAME_LEN, nls_cp);
788	}
789	bcc_ptr += `2` * bytes_ret;
790	bcc_ptr += `2`; / account for null termination /
791
792	unicode_domain_string(pbcc_area: &bcc_ptr, ses, nls_cp);
793	unicode_oslm_strings(pbcc_area: &bcc_ptr, nls_cp);
794
795	*pbcc_area = bcc_ptr;
796	}
797
798	static void ascii_ssetup_strings(char pbcc_area, struct** cifs_ses *ses,
799	const struct nls_table *nls_cp)
800	{
801	char bcc_ptr = pbcc_area;
802	int len;
803
804	/ copy user /
805	/ BB what about null user mounts - check that we do this BB /
806	/ copy user /
807	if (ses->user_name != NULL) {
808	len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN);
809	if (WARN_ON_ONCE(len < `0`))
810	len = CIFS_MAX_USERNAME_LEN - `1`;
811	bcc_ptr += len;
812	}
813	/ else null user mount /
814	*bcc_ptr = `0`;
815	bcc_ptr++; / account for null termination /
816
817	/ BB check for overflow here /
818
819	ascii_domain_string(pbcc_area: &bcc_ptr, ses, nls_cp);
820	ascii_oslm_strings(pbcc_area: &bcc_ptr, nls_cp);
821
822	*pbcc_area = bcc_ptr;
823	}
824
825	static void
826	decode_unicode_ssetup(char *pbcc_area, int* bleft, struct cifs_ses *ses,
827	const struct nls_table *nls_cp)
828	{
829	int len;
830	char data = pbcc_area;
831
832	cifs_dbg(FYI, "bleft %d\n", bleft);
833
834	kfree(objp: ses->serverOS);
835	ses->serverOS = cifs_strndup_from_utf16(src: data, maxlen: bleft, is_unicode: true, codepage: nls_cp);
836	cifs_dbg(FYI, "serverOS=%s\n", ses->serverOS);
837	len = (UniStrnlen(ucs1: (wchar_t ) data, maxlen: bleft / `2`) `2`) + `2`;
838	data += len;
839	bleft -= len;
840	if (bleft <= `0`)
841	return;
842
843	kfree(objp: ses->serverNOS);
844	ses->serverNOS = cifs_strndup_from_utf16(src: data, maxlen: bleft, is_unicode: true, codepage: nls_cp);
845	cifs_dbg(FYI, "serverNOS=%s\n", ses->serverNOS);
846	len = (UniStrnlen(ucs1: (wchar_t ) data, maxlen: bleft / `2`) `2`) + `2`;
847	data += len;
848	bleft -= len;
849	if (bleft <= `0`)
850	return;
851
852	kfree(objp: ses->serverDomain);
853	ses->serverDomain = cifs_strndup_from_utf16(src: data, maxlen: bleft, is_unicode: true, codepage: nls_cp);
854	cifs_dbg(FYI, "serverDomain=%s\n", ses->serverDomain);
855
856	return;
857	}
858
859	static void decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
860	struct cifs_ses *ses,
861	const struct nls_table *nls_cp)
862	{
863	int len;
864	char bcc_ptr = pbcc_area;
865
866	cifs_dbg(FYI, "decode sessetup ascii. bleft %d\n", bleft);
867
868	len = strnlen(p: bcc_ptr, maxlen: bleft);
869	if (len >= bleft)
870	return;
871
872	kfree(objp: ses->serverOS);
873
874	ses->serverOS = kmalloc(len + `1`, GFP_KERNEL);
875	if (ses->serverOS) {
876	memcpy(ses->serverOS, bcc_ptr, len);
877	ses->serverOS[len] = `0`;
878	if (strncmp(ses->serverOS, "OS/2", `4`) == `0`)
879	cifs_dbg(FYI, "OS/2 server\n");
880	}
881
882	bcc_ptr += len + `1`;
883	bleft -= len + `1`;
884
885	len = strnlen(p: bcc_ptr, maxlen: bleft);
886	if (len >= bleft)
887	return;
888
889	kfree(objp: ses->serverNOS);
890
891	ses->serverNOS = kmalloc(len + `1`, GFP_KERNEL);
892	if (ses->serverNOS) {
893	memcpy(ses->serverNOS, bcc_ptr, len);
894	ses->serverNOS[len] = `0`;
895	}
896
897	bcc_ptr += len + `1`;
898	bleft -= len + `1`;
899
900	len = strnlen(p: bcc_ptr, maxlen: bleft);
901	if (len > bleft)
902	return;
903
904	/*
905	* No domain field in LANMAN case. Domain is
906	* returned by old servers in the SMB negprot response
907	*
908	* BB For newer servers which do not support Unicode,
909	* but thus do return domain here, we could add parsing
910	* for it later, but it is not very important
911	*/
912	cifs_dbg(FYI, "ascii: bytes left %d\n", bleft);
913	}
914	#endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
915
916	int decode_ntlmssp_challenge(char bcc_ptr, int* blob_len,
917	struct cifs_ses *ses)
918	{
919	unsigned int tioffset; / challenge message target info area /
920	unsigned int tilen; / challenge message target info area length /
921	CHALLENGE_MESSAGE pblob = (CHALLENGE_MESSAGE )bcc_ptr;
922	__u32 server_flags;
923
924	if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
925	cifs_dbg(VFS, "challenge blob len %d too small\n", blob_len);
926	return -EINVAL;
927	}
928
929	if (memcmp(p: pblob->Signature, q: "NTLMSSP", size: `8`)) {
930	cifs_dbg(VFS, "blob signature incorrect %s\n",
931	pblob->Signature);
932	return -EINVAL;
933	}
934	if (pblob->MessageType != NtLmChallenge) {
935	cifs_dbg(VFS, "Incorrect message type %d\n",
936	pblob->MessageType);
937	return -EINVAL;
938	}
939
940	server_flags = le32_to_cpu(pblob->NegotiateFlags);
941	cifs_dbg(FYI, "%s: negotiate=0x%08x challenge=0x%08x\n", __func__,
942	ses->ntlmssp->client_flags, server_flags);
943
944	if ((ses->ntlmssp->client_flags & (NTLMSSP_NEGOTIATE_SEAL \| NTLMSSP_NEGOTIATE_SIGN)) &&
945	(!(server_flags & NTLMSSP_NEGOTIATE_56) && !(server_flags & NTLMSSP_NEGOTIATE_128))) {
946	cifs_dbg(VFS, "%s: requested signing/encryption but server did not return either 56-bit or 128-bit session key size\n",
947	__func__);
948	return -EINVAL;
949	}
950	if (!(server_flags & NTLMSSP_NEGOTIATE_NTLM) && !(server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC)) {
951	cifs_dbg(VFS, "%s: server does not seem to support either NTLMv1 or NTLMv2\n", __func__);
952	return -EINVAL;
953	}
954	if (ses->server->sign && !(server_flags & NTLMSSP_NEGOTIATE_SIGN)) {
955	cifs_dbg(VFS, "%s: forced packet signing but server does not seem to support it\n",
956	__func__);
957	return -EOPNOTSUPP;
958	}
959	if ((ses->ntlmssp->client_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
960	!(server_flags & NTLMSSP_NEGOTIATE_KEY_XCH))
961	pr_warn_once("%s: authentication has been weakened as server does not support key exchange\n",
962	__func__);
963
964	ses->ntlmssp->server_flags = server_flags;
965
966	memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
967	/*
968	* In particular we can examine sign flags
969	*
970	* BB spec says that if AvId field of MsvAvTimestamp is populated then
971	* we must set the MIC field of the AUTHENTICATE_MESSAGE
972	*/
973
974	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
975	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
976	if (tioffset > blob_len \|\| tioffset + tilen > blob_len) {
977	cifs_dbg(VFS, "tioffset + tilen too high %u + %u\n",
978	tioffset, tilen);
979	return -EINVAL;
980	}
981	if (tilen) {
982	kfree_sensitive(objp: ses->auth_key.response);
983	ses->auth_key.response = kmemdup(bcc_ptr + tioffset, tilen,
984	GFP_KERNEL);
985	if (!ses->auth_key.response) {
986	cifs_dbg(VFS, "Challenge target info alloc failure\n");
987	return -ENOMEM;
988	}
989	ses->auth_key.len = tilen;
990	}
991
992	return `0`;
993	}
994
995	static int size_of_ntlmssp_blob(struct cifs_ses ses, int* base_size)
996	{
997	int sz = base_size + ses->auth_key.len
998	- CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + `2`;
999
1000	if (ses->domainName)
1001	sz += sizeof(__le16) * strnlen(p: ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
1002	else
1003	sz += sizeof(__le16);
1004
1005	if (ses->user_name)
1006	sz += sizeof(__le16) * strnlen(p: ses->user_name, CIFS_MAX_USERNAME_LEN);
1007	else
1008	sz += sizeof(__le16);
1009
1010	if (ses->workstation_name[`0`])
1011	sz += sizeof(__le16) * strnlen(p: ses->workstation_name,
1012	maxlen: ntlmssp_workstation_name_size(ses));
1013	else
1014	sz += sizeof(__le16);
1015
1016	return sz;
1017	}
1018
1019	static inline void cifs_security_buffer_from_str(SECURITY_BUFFER *pbuf,
1020	char *str_value,
1021	int str_length,
1022	unsigned char *pstart,
1023	unsigned char **pcur,
1024	const struct nls_table *nls_cp)
1025	{
1026	unsigned char *tmp = pstart;
1027	int len;
1028
1029	if (!pbuf)
1030	return;
1031
1032	if (!pcur)
1033	pcur = &tmp;
1034
1035	if (!str_value) {
1036	pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1037	pbuf->Length = `0`;
1038	pbuf->MaximumLength = `0`;
1039	pcur += sizeof*(__le16);
1040	} else {
1041	len = cifs_strtoUTF16((__le16 )pcur,
1042	str_value,
1043	str_length,
1044	nls_cp);
1045	len = sizeof*(__le16);
1046	pbuf->BufferOffset = cpu_to_le32(*pcur - pstart);
1047	pbuf->Length = cpu_to_le16(len);
1048	pbuf->MaximumLength = cpu_to_le16(len);
1049	*pcur += len;
1050	}
1051	}
1052
1053	/ BB Move to ntlmssp.c eventually /
1054
1055	int build_ntlmssp_negotiate_blob(unsigned char **pbuffer,
1056	u16 *buflen,
1057	struct cifs_ses *ses,
1058	struct TCP_Server_Info *server,
1059	const struct nls_table *nls_cp)
1060	{
1061	int rc = `0`;
1062	NEGOTIATE_MESSAGE *sec_blob;
1063	__u32 flags;
1064	unsigned char *tmp;
1065	int len;
1066
1067	len = size_of_ntlmssp_blob(ses, base_size: sizeof(NEGOTIATE_MESSAGE));
1068	*pbuffer = kmalloc(len, GFP_KERNEL);
1069	if (!*pbuffer) {
1070	rc = -ENOMEM;
1071	cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1072	*buflen = `0`;
1073	goto setup_ntlm_neg_ret;
1074	}
1075	sec_blob = (NEGOTIATE_MESSAGE )pbuffer;
1076
1077	memset(pbuffer, `0`, sizeof*(NEGOTIATE_MESSAGE));
1078	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, `8`);
1079	sec_blob->MessageType = NtLmNegotiate;
1080
1081	/ BB is NTLMV2 session security format easier to use here? /
1082	flags = NTLMSSP_NEGOTIATE_56 \| NTLMSSP_REQUEST_TARGET \|
1083	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|
1084	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_EXTENDED_SEC \|
1085	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \| NTLMSSP_NEGOTIATE_SEAL \|
1086	NTLMSSP_NEGOTIATE_SIGN;
1087	if (!server->session_estab \|\| ses->ntlmssp->sesskey_per_smbsess)
1088	flags \|= NTLMSSP_NEGOTIATE_KEY_XCH;
1089
1090	tmp = pbuffer + sizeof*(NEGOTIATE_MESSAGE);
1091	ses->ntlmssp->client_flags = flags;
1092	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1093
1094	/ these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 /
1095	cifs_security_buffer_from_str(pbuf: &sec_blob->DomainName,
1096	NULL,
1097	CIFS_MAX_DOMAINNAME_LEN,
1098	pstart: *pbuffer, pcur: &tmp,
1099	nls_cp);
1100
1101	cifs_security_buffer_from_str(pbuf: &sec_blob->WorkstationName,
1102	NULL,
1103	CIFS_MAX_WORKSTATION_LEN,
1104	pstart: *pbuffer, pcur: &tmp,
1105	nls_cp);
1106
1107	buflen = tmp - pbuffer;
1108	setup_ntlm_neg_ret:
1109	return rc;
1110	}
1111
1112	/*
1113	* Build ntlmssp blob with additional fields, such as version,
1114	* supported by modern servers. For safety limit to SMB3 or later
1115	* See notes in MS-NLMP Section 2.2.2.1 e.g.
1116	*/
1117	int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
1118	u16 *buflen,
1119	struct cifs_ses *ses,
1120	struct TCP_Server_Info *server,
1121	const struct nls_table *nls_cp)
1122	{
1123	int rc = `0`;
1124	struct negotiate_message *sec_blob;
1125	__u32 flags;
1126	unsigned char *tmp;
1127	int len;
1128
1129	len = size_of_ntlmssp_blob(ses, base_size: sizeof(struct negotiate_message));
1130	*pbuffer = kmalloc(len, GFP_KERNEL);
1131	if (!*pbuffer) {
1132	rc = -ENOMEM;
1133	cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1134	*buflen = `0`;
1135	goto setup_ntlm_smb3_neg_ret;
1136	}
1137	sec_blob = (struct negotiate_message )pbuffer;
1138
1139	memset(pbuffer, `0`, sizeof(struct* negotiate_message));
1140	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, `8`);
1141	sec_blob->MessageType = NtLmNegotiate;
1142
1143	/ BB is NTLMV2 session security format easier to use here? /
1144	flags = NTLMSSP_NEGOTIATE_56 \| NTLMSSP_REQUEST_TARGET \|
1145	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|
1146	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_EXTENDED_SEC \|
1147	NTLMSSP_NEGOTIATE_ALWAYS_SIGN \| NTLMSSP_NEGOTIATE_SEAL \|
1148	NTLMSSP_NEGOTIATE_SIGN \| NTLMSSP_NEGOTIATE_VERSION;
1149	if (!server->session_estab \|\| ses->ntlmssp->sesskey_per_smbsess)
1150	flags \|= NTLMSSP_NEGOTIATE_KEY_XCH;
1151
1152	sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1153	sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1154	sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1155	sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1156
1157	tmp = pbuffer + sizeof(struct* negotiate_message);
1158	ses->ntlmssp->client_flags = flags;
1159	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1160
1161	/ these fields should be null in negotiate phase MS-NLMP 3.1.5.1.1 /
1162	cifs_security_buffer_from_str(pbuf: &sec_blob->DomainName,
1163	NULL,
1164	CIFS_MAX_DOMAINNAME_LEN,
1165	pstart: *pbuffer, pcur: &tmp,
1166	nls_cp);
1167
1168	cifs_security_buffer_from_str(pbuf: &sec_blob->WorkstationName,
1169	NULL,
1170	CIFS_MAX_WORKSTATION_LEN,
1171	pstart: *pbuffer, pcur: &tmp,
1172	nls_cp);
1173
1174	buflen = tmp - pbuffer;
1175	setup_ntlm_smb3_neg_ret:
1176	return rc;
1177	}
1178
1179
1180	/ See MS-NLMP 2.2.1.3 /
1181	int build_ntlmssp_auth_blob(unsigned char **pbuffer,
1182	u16 *buflen,
1183	struct cifs_ses *ses,
1184	struct TCP_Server_Info *server,
1185	const struct nls_table *nls_cp)
1186	{
1187	int rc;
1188	AUTHENTICATE_MESSAGE *sec_blob;
1189	__u32 flags;
1190	unsigned char *tmp;
1191	int len;
1192
1193	rc = setup_ntlmv2_rsp(ses, nls_cp);
1194	if (rc) {
1195	cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
1196	*buflen = `0`;
1197	goto setup_ntlmv2_ret;
1198	}
1199
1200	len = size_of_ntlmssp_blob(ses, base_size: sizeof(AUTHENTICATE_MESSAGE));
1201	*pbuffer = kmalloc(len, GFP_KERNEL);
1202	if (!*pbuffer) {
1203	rc = -ENOMEM;
1204	cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
1205	*buflen = `0`;
1206	goto setup_ntlmv2_ret;
1207	}
1208	sec_blob = (AUTHENTICATE_MESSAGE )pbuffer;
1209
1210	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, `8`);
1211	sec_blob->MessageType = NtLmAuthenticate;
1212
1213	/ send version information in ntlmssp authenticate also /
1214	flags = ses->ntlmssp->server_flags \| NTLMSSP_REQUEST_TARGET \|
1215	NTLMSSP_NEGOTIATE_TARGET_INFO \| NTLMSSP_NEGOTIATE_VERSION \|
1216	NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
1217
1218	sec_blob->Version.ProductMajorVersion = LINUX_VERSION_MAJOR;
1219	sec_blob->Version.ProductMinorVersion = LINUX_VERSION_PATCHLEVEL;
1220	sec_blob->Version.ProductBuild = cpu_to_le16(SMB3_PRODUCT_BUILD);
1221	sec_blob->Version.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3;
1222
1223	tmp = pbuffer + sizeof*(AUTHENTICATE_MESSAGE);
1224	sec_blob->NegotiateFlags = cpu_to_le32(flags);
1225
1226	sec_blob->LmChallengeResponse.BufferOffset =
1227	cpu_to_le32(sizeof(AUTHENTICATE_MESSAGE));
1228	sec_blob->LmChallengeResponse.Length = `0`;
1229	sec_blob->LmChallengeResponse.MaximumLength = `0`;
1230
1231	sec_blob->NtChallengeResponse.BufferOffset =
1232	cpu_to_le32(tmp - *pbuffer);
1233	if (ses->user_name != NULL) {
1234	memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1235	ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1236	tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1237
1238	sec_blob->NtChallengeResponse.Length =
1239	cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1240	sec_blob->NtChallengeResponse.MaximumLength =
1241	cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1242	} else {
1243	/*
1244	* don't send an NT Response for anonymous access
1245	*/
1246	sec_blob->NtChallengeResponse.Length = `0`;
1247	sec_blob->NtChallengeResponse.MaximumLength = `0`;
1248	}
1249
1250	cifs_security_buffer_from_str(pbuf: &sec_blob->DomainName,
1251	str_value: ses->domainName,
1252	CIFS_MAX_DOMAINNAME_LEN,
1253	pstart: *pbuffer, pcur: &tmp,
1254	nls_cp);
1255
1256	cifs_security_buffer_from_str(pbuf: &sec_blob->UserName,
1257	str_value: ses->user_name,
1258	CIFS_MAX_USERNAME_LEN,
1259	pstart: *pbuffer, pcur: &tmp,
1260	nls_cp);
1261
1262	cifs_security_buffer_from_str(pbuf: &sec_blob->WorkstationName,
1263	str_value: ses->workstation_name,
1264	str_length: ntlmssp_workstation_name_size(ses),
1265	pstart: *pbuffer, pcur: &tmp,
1266	nls_cp);
1267
1268	if ((ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
1269	(!ses->server->session_estab \|\| ses->ntlmssp->sesskey_per_smbsess) &&
1270	!calc_seckey(ses)) {
1271	memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
1272	sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1273	sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
1274	sec_blob->SessionKey.MaximumLength =
1275	cpu_to_le16(CIFS_CPHTXT_SIZE);
1276	tmp += CIFS_CPHTXT_SIZE;
1277	} else {
1278	sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
1279	sec_blob->SessionKey.Length = `0`;
1280	sec_blob->SessionKey.MaximumLength = `0`;
1281	}
1282
1283	buflen = tmp - pbuffer;
1284	setup_ntlmv2_ret:
1285	return rc;
1286	}
1287
1288	enum securityEnum
1289	cifs_select_sectype(struct TCP_Server_Info server, enum* securityEnum requested)
1290	{
1291	switch (server->negflavor) {
1292	case CIFS_NEGFLAVOR_EXTENDED:
1293	switch (requested) {
1294	case Kerberos:
1295	case RawNTLMSSP:
1296	case IAKerb:
1297	return requested;
1298	case Unspecified:
1299	if (server->sec_ntlmssp &&
1300	(global_secflags & CIFSSEC_MAY_NTLMSSP))
1301	return RawNTLMSSP;
1302	if ((server->sec_kerberos \|\| server->sec_mskerberos \|\| server->sec_iakerb) &&
1303	(global_secflags & CIFSSEC_MAY_KRB5))
1304	return Kerberos;
1305	fallthrough;
1306	default:
1307	return Unspecified;
1308	}
1309	case CIFS_NEGFLAVOR_UNENCAP:
1310	switch (requested) {
1311	case NTLMv2:
1312	return requested;
1313	case Unspecified:
1314	if (global_secflags & CIFSSEC_MAY_NTLMV2)
1315	return NTLMv2;
1316	break;
1317	default:
1318	break;
1319	}
1320	fallthrough;
1321	default:
1322	return Unspecified;
1323	}
1324	}
1325
1326	struct sess_data {
1327	unsigned int xid;
1328	struct cifs_ses *ses;
1329	struct TCP_Server_Info *server;
1330	struct nls_table *nls_cp;
1331	void (func)(struct* sess_data *);
1332	int result;
1333	unsigned int in_len;
1334
1335	/ we will send the SMB in three pieces:*
1336	* a fixed length beginning part, an optional
1337	* SPNEGO blob (which can be zero length), and a
1338	* last part which will include the strings
1339	* and rest of bcc area. This allows us to avoid
1340	* a large buffer 17K allocation
1341	*/
1342	int buf0_type;
1343	struct kvec iov[`3`];
1344	};
1345
1346	#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
1347	static int
1348	sess_alloc_buffer(struct sess_data sess_data, int* wct)
1349	{
1350	int rc;
1351	struct cifs_ses *ses = sess_data->ses;
1352	struct smb_hdr *smb_buf;
1353
1354	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
1355	request_buf: (void **)&smb_buf);
1356
1357	if (rc < `0`)
1358	return rc;
1359
1360	sess_data->in_len = rc;
1361	sess_data->iov[`0`].iov_base = (char *)smb_buf;
1362	sess_data->iov[`0`].iov_len = sess_data->in_len;
1363	/*
1364	* This variable will be used to clear the buffer
1365	* allocated above in case of any error in the calling function.
1366	*/
1367	sess_data->buf0_type = CIFS_SMALL_BUFFER;
1368
1369	/ 2000 big enough to fit max user, domain, NOS name etc. /
1370	sess_data->iov[`2`].iov_base = kmalloc(`2000`, GFP_KERNEL);
1371	if (!sess_data->iov[`2`].iov_base) {
1372	rc = -ENOMEM;
1373	goto out_free_smb_buf;
1374	}
1375
1376	return `0`;
1377
1378	out_free_smb_buf:
1379	cifs_small_buf_release(smb_buf);
1380	sess_data->iov[`0`].iov_base = NULL;
1381	sess_data->iov[`0`].iov_len = `0`;
1382	sess_data->buf0_type = CIFS_NO_BUFFER;
1383	return rc;
1384	}
1385
1386	static void
1387	sess_free_buffer(struct sess_data *sess_data)
1388	{
1389	struct kvec *iov = sess_data->iov;
1390
1391	/*
1392	* Zero the session data before freeing, as it might contain sensitive info (keys, etc).
1393	* Note that iov[1] is already freed by caller.
1394	*/
1395	if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[`0`].iov_base)
1396	memzero_explicit(s: iov[`0`].iov_base, count: iov[`0`].iov_len);
1397
1398	free_rsp_buf(sess_data->buf0_type, iov[`0`].iov_base);
1399	sess_data->buf0_type = CIFS_NO_BUFFER;
1400	kfree_sensitive(objp: iov[`2`].iov_base);
1401	}
1402
1403	static int
1404	sess_establish_session(struct sess_data *sess_data)
1405	{
1406	struct cifs_ses *ses = sess_data->ses;
1407	struct TCP_Server_Info *server = sess_data->server;
1408
1409	cifs_server_lock(server);
1410	if (!server->session_estab) {
1411	if (server->sign) {
1412	server->session_key.response =
1413	kmemdup(ses->auth_key.response,
1414	ses->auth_key.len, GFP_KERNEL);
1415	if (!server->session_key.response) {
1416	cifs_server_unlock(server);
1417	return -ENOMEM;
1418	}
1419	server->session_key.len =
1420	ses->auth_key.len;
1421	}
1422	server->sequence_number = `0x2`;
1423	server->session_estab = true;
1424	}
1425	cifs_server_unlock(server);
1426
1427	cifs_dbg(FYI, "CIFS session established successfully\n");
1428	return `0`;
1429	}
1430
1431	static int
1432	sess_sendreceive(struct sess_data *sess_data)
1433	{
1434	int rc;
1435	struct smb_hdr smb_buf = (struct* smb_hdr *) sess_data->iov[`0`].iov_base;
1436	__u16 count;
1437	struct kvec rsp_iov = { NULL, `0` };
1438
1439	count = sess_data->iov[`1`].iov_len + sess_data->iov[`2`].iov_len;
1440	sess_data->in_len += count;
1441	put_bcc(count, hdr: smb_buf);
1442
1443	rc = SendReceive2(sess_data->xid, sess_data->ses,
1444	sess_data->iov, `3` / num_iovecs /,
1445	&sess_data->buf0_type,
1446	CIFS_LOG_ERROR, &rsp_iov);
1447	cifs_small_buf_release(sess_data->iov[`0`].iov_base);
1448	memcpy(&sess_data->iov[`0`], &rsp_iov, sizeof(struct kvec));
1449
1450	return rc;
1451	}
1452
1453	static void
1454	sess_auth_ntlmv2(struct sess_data *sess_data)
1455	{
1456	int rc = `0`;
1457	struct smb_hdr *smb_buf;
1458	SESSION_SETUP_ANDX *pSMB;
1459	char *bcc_ptr;
1460	struct cifs_ses *ses = sess_data->ses;
1461	struct TCP_Server_Info *server = sess_data->server;
1462	__u32 capabilities;
1463	__u16 bytes_remaining;
1464
1465	/ old style NTLM sessionsetup /
1466	/ wct = 13 /
1467	rc = sess_alloc_buffer(sess_data, wct: `13`);
1468	if (rc)
1469	goto out;
1470
1471	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1472	bcc_ptr = sess_data->iov[`2`].iov_base;
1473	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1474
1475	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
1476
1477	/ LM2 password would be here if we supported it /
1478	pSMB->req_no_secext.CaseInsensitivePasswordLength = `0`;
1479
1480	if (ses->user_name != NULL) {
1481	/ calculate nlmv2 response and session key /
1482	rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
1483	if (rc) {
1484	cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
1485	goto out;
1486	}
1487
1488	memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
1489	ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1490	bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
1491
1492	/ set case sensitive password length after tilen may get*
1493	* assigned, tilen is 0 otherwise.
1494	*/
1495	pSMB->req_no_secext.CaseSensitivePasswordLength =
1496	cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
1497	} else {
1498	pSMB->req_no_secext.CaseSensitivePasswordLength = `0`;
1499	}
1500
1501	if (ses->capabilities & CAP_UNICODE) {
1502	if (!IS_ALIGNED(sess_data->iov[`0`].iov_len, `2`)) {
1503	*bcc_ptr = `0`;
1504	bcc_ptr++;
1505	}
1506	unicode_ssetup_strings(pbcc_area: &bcc_ptr, ses, nls_cp: sess_data->nls_cp);
1507	} else {
1508	ascii_ssetup_strings(pbcc_area: &bcc_ptr, ses, nls_cp: sess_data->nls_cp);
1509	}
1510
1511
1512	sess_data->iov[`2`].iov_len = (long) bcc_ptr -
1513	(long) sess_data->iov[`2`].iov_base;
1514
1515	rc = sess_sendreceive(sess_data);
1516	if (rc)
1517	goto out;
1518
1519	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1520	smb_buf = (struct smb_hdr *)sess_data->iov[`0`].iov_base;
1521
1522	if (smb_buf->WordCount != `3`) {
1523	rc = smb_EIO1(trace: smb_eio_trace_sess_nl2_wcc, info: smb_buf->WordCount);
1524	cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1525	goto out;
1526	}
1527
1528	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1529	cifs_dbg(FYI, "Guest login\n"); / BB mark SesInfo struct? /
1530
1531	ses->Suid = smb_buf->Uid; / UID left in wire format (le) /
1532	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1533
1534	bytes_remaining = get_bcc(hdr: smb_buf);
1535	bcc_ptr = pByteArea(smb_buf);
1536
1537	/ BB check if Unicode and decode strings /
1538	if (bytes_remaining == `0`) {
1539	/ no string area to decode, do nothing /
1540	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1541	/ unicode string area must be word-aligned /
1542	if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, `2`)) {
1543	++bcc_ptr;
1544	--bytes_remaining;
1545	}
1546	decode_unicode_ssetup(pbcc_area: &bcc_ptr, bleft: bytes_remaining, ses,
1547	nls_cp: sess_data->nls_cp);
1548	} else {
1549	decode_ascii_ssetup(pbcc_area: &bcc_ptr, bleft: bytes_remaining, ses,
1550	nls_cp: sess_data->nls_cp);
1551	}
1552
1553	rc = sess_establish_session(sess_data);
1554	out:
1555	sess_data->result = rc;
1556	sess_data->func = NULL;
1557	sess_free_buffer(sess_data);
1558	kfree_sensitive(objp: ses->auth_key.response);
1559	ses->auth_key.response = NULL;
1560	}
1561
1562	#ifdef CONFIG_CIFS_UPCALL
1563	static void
1564	sess_auth_kerberos(struct sess_data *sess_data)
1565	{
1566	int rc = `0`;
1567	struct smb_hdr *smb_buf;
1568	SESSION_SETUP_ANDX *pSMB;
1569	char *bcc_ptr;
1570	struct cifs_ses *ses = sess_data->ses;
1571	struct TCP_Server_Info *server = sess_data->server;
1572	__u32 capabilities;
1573	__u16 bytes_remaining;
1574	struct key *spnego_key = NULL;
1575	struct cifs_spnego_msg *msg;
1576	u16 blob_len;
1577
1578	/ extended security /
1579	/ wct = 12 /
1580	rc = sess_alloc_buffer(sess_data, wct: `12`);
1581	if (rc)
1582	goto out;
1583
1584	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1585	bcc_ptr = sess_data->iov[`2`].iov_base;
1586	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1587
1588	spnego_key = cifs_get_spnego_key(sesInfo: ses, server);
1589	if (IS_ERR(ptr: spnego_key)) {
1590	rc = PTR_ERR(ptr: spnego_key);
1591	spnego_key = NULL;
1592	goto out;
1593	}
1594
1595	msg = spnego_key->payload.data[`0`];
1596	/*
1597	* check version field to make sure that cifs.upcall is
1598	* sending us a response in an expected form
1599	*/
1600	if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
1601	cifs_dbg(VFS, "incorrect version of cifs.upcall (expected %d but got %d)\n",
1602	CIFS_SPNEGO_UPCALL_VERSION, msg->version);
1603	rc = -EKEYREJECTED;
1604	goto out_put_spnego_key;
1605	}
1606
1607	kfree_sensitive(objp: ses->auth_key.response);
1608	ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
1609	GFP_KERNEL);
1610	if (!ses->auth_key.response) {
1611	cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
1612	msg->sesskey_len);
1613	rc = -ENOMEM;
1614	goto out_put_spnego_key;
1615	}
1616	ses->auth_key.len = msg->sesskey_len;
1617
1618	pSMB->req.hdr.Flags2 \|= SMBFLG2_EXT_SEC;
1619	capabilities \|= CAP_EXTENDED_SECURITY;
1620	pSMB->req.Capabilities = cpu_to_le32(capabilities);
1621	sess_data->iov[`1`].iov_base = msg->data + msg->sesskey_len;
1622	sess_data->iov[`1`].iov_len = msg->secblob_len;
1623	pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[`1`].iov_len);
1624
1625	if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {
1626	/ unicode strings must be word aligned /
1627	if (!IS_ALIGNED(sess_data->iov[`0`].iov_len + sess_data->iov[`1`].iov_len, `2`)) {
1628	*bcc_ptr = `0`;
1629	bcc_ptr++;
1630	}
1631	unicode_oslm_strings(pbcc_area: &bcc_ptr, nls_cp: sess_data->nls_cp);
1632	unicode_domain_string(pbcc_area: &bcc_ptr, ses, nls_cp: sess_data->nls_cp);
1633	} else {
1634	ascii_oslm_strings(pbcc_area: &bcc_ptr, nls_cp: sess_data->nls_cp);
1635	ascii_domain_string(pbcc_area: &bcc_ptr, ses, nls_cp: sess_data->nls_cp);
1636	}
1637
1638	sess_data->iov[`2`].iov_len = (long) bcc_ptr -
1639	(long) sess_data->iov[`2`].iov_base;
1640
1641	rc = sess_sendreceive(sess_data);
1642	if (rc)
1643	goto out_put_spnego_key;
1644
1645	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1646	smb_buf = (struct smb_hdr *)sess_data->iov[`0`].iov_base;
1647
1648	if (smb_buf->WordCount != `4`) {
1649	rc = smb_EIO1(trace: smb_eio_trace_sess_krb_wcc, info: smb_buf->WordCount);
1650	cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1651	goto out_put_spnego_key;
1652	}
1653
1654	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1655	cifs_dbg(FYI, "Guest login\n"); / BB mark SesInfo struct? /
1656
1657	ses->Suid = smb_buf->Uid; / UID left in wire format (le) /
1658	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1659
1660	bytes_remaining = get_bcc(hdr: smb_buf);
1661	bcc_ptr = pByteArea(smb_buf);
1662
1663	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1664	if (blob_len > bytes_remaining) {
1665	cifs_dbg(VFS, "bad security blob length %d\n",
1666	blob_len);
1667	rc = -EINVAL;
1668	goto out_put_spnego_key;
1669	}
1670	bcc_ptr += blob_len;
1671	bytes_remaining -= blob_len;
1672
1673	/ BB check if Unicode and decode strings /
1674	if (bytes_remaining == `0`) {
1675	/ no string area to decode, do nothing /
1676	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1677	/ unicode string area must be word-aligned /
1678	if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, `2`)) {
1679	++bcc_ptr;
1680	--bytes_remaining;
1681	}
1682	decode_unicode_ssetup(pbcc_area: &bcc_ptr, bleft: bytes_remaining, ses,
1683	nls_cp: sess_data->nls_cp);
1684	} else {
1685	decode_ascii_ssetup(pbcc_area: &bcc_ptr, bleft: bytes_remaining, ses,
1686	nls_cp: sess_data->nls_cp);
1687	}
1688
1689	rc = sess_establish_session(sess_data);
1690	out_put_spnego_key:
1691	key_invalidate(key: spnego_key);
1692	key_put(key: spnego_key);
1693	out:
1694	sess_data->result = rc;
1695	sess_data->func = NULL;
1696	sess_free_buffer(sess_data);
1697	kfree_sensitive(objp: ses->auth_key.response);
1698	ses->auth_key.response = NULL;
1699	}
1700
1701	#endif /* ! CONFIG_CIFS_UPCALL */
1702
1703	/*
1704	* The required kvec buffers have to be allocated before calling this
1705	* function.
1706	*/
1707	static int
1708	_sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
1709	{
1710	SESSION_SETUP_ANDX *pSMB;
1711	struct cifs_ses *ses = sess_data->ses;
1712	struct TCP_Server_Info *server = sess_data->server;
1713	__u32 capabilities;
1714	char *bcc_ptr;
1715
1716	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1717
1718	capabilities = cifs_ssetup_hdr(ses, server, pSMB);
1719	pSMB->req.hdr.Flags2 \|= SMBFLG2_EXT_SEC;
1720	capabilities \|= CAP_EXTENDED_SECURITY;
1721	pSMB->req.Capabilities \|= cpu_to_le32(capabilities);
1722
1723	bcc_ptr = sess_data->iov[`2`].iov_base;
1724
1725	if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {
1726	/ unicode strings must be word aligned /
1727	if (!IS_ALIGNED(sess_data->iov[`0`].iov_len + sess_data->iov[`1`].iov_len, `2`)) {
1728	*bcc_ptr = `0`;
1729	bcc_ptr++;
1730	}
1731	unicode_oslm_strings(pbcc_area: &bcc_ptr, nls_cp: sess_data->nls_cp);
1732	} else {
1733	ascii_oslm_strings(pbcc_area: &bcc_ptr, nls_cp: sess_data->nls_cp);
1734	}
1735
1736	sess_data->iov[`2`].iov_len = (long) bcc_ptr -
1737	(long) sess_data->iov[`2`].iov_base;
1738
1739	return `0`;
1740	}
1741
1742	static void
1743	sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data);
1744
1745	static void
1746	sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
1747	{
1748	int rc;
1749	struct smb_hdr *smb_buf;
1750	SESSION_SETUP_ANDX *pSMB;
1751	struct cifs_ses *ses = sess_data->ses;
1752	struct TCP_Server_Info *server = sess_data->server;
1753	__u16 bytes_remaining;
1754	char *bcc_ptr;
1755	unsigned char *ntlmsspblob = NULL;
1756	u16 blob_len;
1757
1758	cifs_dbg(FYI, "rawntlmssp session setup negotiate phase\n");
1759
1760	/*
1761	* if memory allocation is successful, caller of this function
1762	* frees it.
1763	*/
1764	ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
1765	if (!ses->ntlmssp) {
1766	rc = -ENOMEM;
1767	goto out;
1768	}
1769	ses->ntlmssp->sesskey_per_smbsess = false;
1770
1771	/ wct = 12 /
1772	rc = sess_alloc_buffer(sess_data, wct: `12`);
1773	if (rc)
1774	goto out;
1775
1776	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1777
1778	/ Build security blob before we assemble the request /
1779	rc = build_ntlmssp_negotiate_blob(pbuffer: &ntlmsspblob,
1780	buflen: &blob_len, ses, server,
1781	nls_cp: sess_data->nls_cp);
1782	if (rc)
1783	goto out_free_ntlmsspblob;
1784
1785	sess_data->iov[`1`].iov_len = blob_len;
1786	sess_data->iov[`1`].iov_base = ntlmsspblob;
1787	pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1788
1789	rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1790	if (rc)
1791	goto out_free_ntlmsspblob;
1792
1793	rc = sess_sendreceive(sess_data);
1794
1795	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1796	smb_buf = (struct smb_hdr *)sess_data->iov[`0`].iov_base;
1797
1798	/ If true, rc here is expected and not an error /
1799	if (sess_data->buf0_type != CIFS_NO_BUFFER &&
1800	smb_buf->Status.CifsError ==
1801	cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
1802	rc = `0`;
1803
1804	if (rc)
1805	goto out_free_ntlmsspblob;
1806
1807	cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
1808
1809	if (smb_buf->WordCount != `4`) {
1810	rc = smb_EIO1(trace: smb_eio_trace_sess_rawnl_neg_wcc, info: smb_buf->WordCount);
1811	cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1812	goto out_free_ntlmsspblob;
1813	}
1814
1815	ses->Suid = smb_buf->Uid; / UID left in wire format (le) /
1816	cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
1817
1818	bytes_remaining = get_bcc(hdr: smb_buf);
1819	bcc_ptr = pByteArea(smb_buf);
1820
1821	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1822	if (blob_len > bytes_remaining) {
1823	cifs_dbg(VFS, "bad security blob length %d\n",
1824	blob_len);
1825	rc = -EINVAL;
1826	goto out_free_ntlmsspblob;
1827	}
1828
1829	rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
1830
1831	out_free_ntlmsspblob:
1832	kfree_sensitive(objp: ntlmsspblob);
1833	out:
1834	sess_free_buffer(sess_data);
1835
1836	if (!rc) {
1837	sess_data->func = sess_auth_rawntlmssp_authenticate;
1838	return;
1839	}
1840
1841	/ Else error. Cleanup /
1842	kfree_sensitive(objp: ses->auth_key.response);
1843	ses->auth_key.response = NULL;
1844	kfree_sensitive(objp: ses->ntlmssp);
1845	ses->ntlmssp = NULL;
1846
1847	sess_data->func = NULL;
1848	sess_data->result = rc;
1849	}
1850
1851	static void
1852	sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
1853	{
1854	int rc;
1855	struct smb_hdr *smb_buf;
1856	SESSION_SETUP_ANDX *pSMB;
1857	struct cifs_ses *ses = sess_data->ses;
1858	struct TCP_Server_Info *server = sess_data->server;
1859	__u16 bytes_remaining;
1860	char *bcc_ptr;
1861	unsigned char *ntlmsspblob = NULL;
1862	u16 blob_len;
1863
1864	cifs_dbg(FYI, "rawntlmssp session setup authenticate phase\n");
1865
1866	/ wct = 12 /
1867	rc = sess_alloc_buffer(sess_data, wct: `12`);
1868	if (rc)
1869	goto out;
1870
1871	/ Build security blob before we assemble the request /
1872	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1873	smb_buf = (struct smb_hdr *)pSMB;
1874	rc = build_ntlmssp_auth_blob(pbuffer: &ntlmsspblob,
1875	buflen: &blob_len, ses, server,
1876	nls_cp: sess_data->nls_cp);
1877	if (rc)
1878	goto out_free_ntlmsspblob;
1879	sess_data->iov[`1`].iov_len = blob_len;
1880	sess_data->iov[`1`].iov_base = ntlmsspblob;
1881	pSMB->req.SecurityBlobLength = cpu_to_le16(blob_len);
1882	/*
1883	* Make sure that we tell the server that we are using
1884	* the uid that it just gave us back on the response
1885	* (challenge)
1886	*/
1887	smb_buf->Uid = ses->Suid;
1888
1889	rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
1890	if (rc)
1891	goto out_free_ntlmsspblob;
1892
1893	rc = sess_sendreceive(sess_data);
1894	if (rc)
1895	goto out_free_ntlmsspblob;
1896
1897	pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[`0`].iov_base;
1898	smb_buf = (struct smb_hdr *)sess_data->iov[`0`].iov_base;
1899	if (smb_buf->WordCount != `4`) {
1900	rc = smb_EIO1(trace: smb_eio_trace_sess_rawnl_auth_wcc, info: smb_buf->WordCount);
1901	cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
1902	goto out_free_ntlmsspblob;
1903	}
1904
1905	if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
1906	cifs_dbg(FYI, "Guest login\n"); / BB mark SesInfo struct? /
1907
1908	if (ses->Suid != smb_buf->Uid) {
1909	ses->Suid = smb_buf->Uid;
1910	cifs_dbg(FYI, "UID changed! new UID = %llu\n", ses->Suid);
1911	}
1912
1913	bytes_remaining = get_bcc(hdr: smb_buf);
1914	bcc_ptr = pByteArea(smb_buf);
1915	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
1916	if (blob_len > bytes_remaining) {
1917	cifs_dbg(VFS, "bad security blob length %d\n",
1918	blob_len);
1919	rc = -EINVAL;
1920	goto out_free_ntlmsspblob;
1921	}
1922	bcc_ptr += blob_len;
1923	bytes_remaining -= blob_len;
1924
1925
1926	/ BB check if Unicode and decode strings /
1927	if (bytes_remaining == `0`) {
1928	/ no string area to decode, do nothing /
1929	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
1930	/ unicode string area must be word-aligned /
1931	if (!IS_ALIGNED((unsigned long)bcc_ptr - (unsigned long)smb_buf, `2`)) {
1932	++bcc_ptr;
1933	--bytes_remaining;
1934	}
1935	decode_unicode_ssetup(pbcc_area: &bcc_ptr, bleft: bytes_remaining, ses,
1936	nls_cp: sess_data->nls_cp);
1937	} else {
1938	decode_ascii_ssetup(pbcc_area: &bcc_ptr, bleft: bytes_remaining, ses,
1939	nls_cp: sess_data->nls_cp);
1940	}
1941
1942	out_free_ntlmsspblob:
1943	kfree_sensitive(objp: ntlmsspblob);
1944	out:
1945	sess_free_buffer(sess_data);
1946
1947	if (!rc)
1948	rc = sess_establish_session(sess_data);
1949
1950	/ Cleanup /
1951	kfree_sensitive(objp: ses->auth_key.response);
1952	ses->auth_key.response = NULL;
1953	kfree_sensitive(objp: ses->ntlmssp);
1954	ses->ntlmssp = NULL;
1955
1956	sess_data->func = NULL;
1957	sess_data->result = rc;
1958	}
1959
1960	static int select_sec(struct sess_data *sess_data)
1961	{
1962	int type;
1963	struct cifs_ses *ses = sess_data->ses;
1964	struct TCP_Server_Info *server = sess_data->server;
1965
1966	type = cifs_select_sectype(server, requested: ses->sectype);
1967	cifs_dbg(FYI, "sess setup type %d\n", type);
1968	if (type == Unspecified) {
1969	cifs_dbg(VFS, "Unable to select appropriate authentication method!\n");
1970	return -EINVAL;
1971	}
1972
1973	switch (type) {
1974	case NTLMv2:
1975	sess_data->func = sess_auth_ntlmv2;
1976	break;
1977	case Kerberos:
1978	#ifdef CONFIG_CIFS_UPCALL
1979	sess_data->func = sess_auth_kerberos;
1980	break;
1981	#else
1982	cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
1983	return -ENOSYS;
1984	#endif /* CONFIG_CIFS_UPCALL */
1985	case RawNTLMSSP:
1986	sess_data->func = sess_auth_rawntlmssp_negotiate;
1987	break;
1988	default:
1989	cifs_dbg(VFS, "secType %d not supported!\n", type);
1990	return -ENOSYS;
1991	}
1992
1993	return `0`;
1994	}
1995
1996	int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
1997	struct TCP_Server_Info *server,
1998	const struct nls_table *nls_cp)
1999	{
2000	int rc = `0`;
2001	struct sess_data *sess_data;
2002
2003	if (ses == NULL) {
2004	WARN(`1`, "%s: ses == NULL!", __func__);
2005	return -EINVAL;
2006	}
2007
2008	sess_data = kzalloc(sizeof(struct sess_data), GFP_KERNEL);
2009	if (!sess_data)
2010	return -ENOMEM;
2011
2012	sess_data->xid = xid;
2013	sess_data->ses = ses;
2014	sess_data->server = server;
2015	sess_data->buf0_type = CIFS_NO_BUFFER;
2016	sess_data->nls_cp = (struct nls_table *) nls_cp;
2017
2018	rc = select_sec(sess_data);
2019	if (rc)
2020	goto out;
2021
2022	while (sess_data->func)
2023	sess_data->func(sess_data);
2024
2025	/ Store result before we free sess_data /
2026	rc = sess_data->result;
2027
2028	out:
2029	kfree_sensitive(objp: sess_data);
2030	return rc;
2031	}
2032	#endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
2033

source code of linux/fs/smb/client/sess.c