[GitHub/mt8127/android_kernel_alcatel_ttab.git] / fs / cifs / sess.c

/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
 *   Copyright (c) International Business Machines  Corp., 2006, 2007
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
#include <linux/utsname.h>

extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
			 unsigned char *p24);

static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
	/* note that header is initialized to zero in header_assemble */
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

	/* BB verify whether signing required on neg or just on auth frame
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

	if (ses->server->secMode &
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
	if (ses->capabilities & CAP_UNIX) {
		capabilities |= CAP_UNIX;
	}

	/* BB check whether to init vcnum BB */
	return capabilities;
}

static void unicode_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
		*bcc_ptr = 0;
		bcc_ptr++;
	} */
	/* copy user */
	if (ses->userName == NULL) {
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
	} else { /* 300 should be long enough for any conceivable user name */
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
					  300, nls_cp);
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */
	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName, 
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void ascii_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
				 const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
	/* copy user */
	if (ses->userName == NULL) {
		/* BB what about null user mounts - check that we do this BB */
	} else { /* 300 should be long enough for any conceivable user name */
		strncpy(bcc_ptr, ses->userName, 300);
	}
	/* BB improve check for overflow */
	bcc_ptr += strnlen(ses->userName, 300);
	*bcc_ptr = 0;
	bcc_ptr++; /* account for null termination */

	/* copy domain */

	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
		bcc_ptr += strnlen(ses->domainName, 256);
	} /* else we will send a null domain name
	     so the server will default to its own domain */
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

	*pbcc_area = bcc_ptr;
}

static int decode_unicode_ssetup(char **pbcc_area, int bleft,
				 struct cifsSesInfo *ses,
				 const struct nls_table *nls_cp)
{
	int rc = 0;
	int words_left, len;
	char *data = *pbcc_area;


	cFYI(1, ("bleft %d", bleft));


	/* SMB header is unaligned, so cifs servers word align start of
	   Unicode strings */
	data++;
	bleft--; /* Windows servers do not always double null terminate
		    their final Unicode string - in which case we
		    now will not attempt to decode the byte of junk
		    which follows it */
		    
	words_left = bleft / 2;

	/* save off server operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

/* We look for obvious messed up bcc or strings in response so we do not go off
   the end since (at least) WIN2K and Windows XP have a major bug in not null
   terminating last Unicode string in response  */
	if (len >= words_left)
		return rc;

	if (ses->serverOS)
		kfree(ses->serverOS);
	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
	if (ses->serverOS != NULL) {
		cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
				   nls_cp);
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	/* save off server network operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

	if (len >= words_left)
		return rc;

	if (ses->serverNOS)
		kfree(ses->serverNOS);
	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
	if (ses->serverNOS != NULL) {
		cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
				   nls_cp);
		if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
			cFYI(1, ("NT4 server"));
			ses->flags |= CIFS_SES_NT4;
		}
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	/* save off server domain */
	len = UniStrnlen((wchar_t *) data, words_left);

	if (len > words_left)
		return rc;

	if (ses->serverDomain)
		kfree(ses->serverDomain);
	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
	if (ses->serverDomain != NULL) {
		cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
				   nls_cp);
		ses->serverDomain[2*len] = 0;
		ses->serverDomain[(2*len) + 1] = 0;
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	cFYI(1, ("words left: %d", words_left));

	return rc;
}

static int decode_ascii_ssetup(char **pbcc_area, int bleft,
			       struct cifsSesInfo *ses,
			       const struct nls_table *nls_cp)
{
	int rc = 0;
	int len;
	char *bcc_ptr = *pbcc_area;

	cFYI(1, ("decode sessetup ascii. bleft %d", bleft));
	
	len = strnlen(bcc_ptr, bleft);
	if (len >= bleft)
		return rc;
	
	if (ses->serverOS)
		kfree(ses->serverOS);

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
	if (ses->serverOS)
		strncpy(ses->serverOS, bcc_ptr, len);
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
			cFYI(1, ("OS/2 server"));
			ses->flags |= CIFS_SES_OS2;
	}

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
	if (len >= bleft)
		return rc;

	if (ses->serverNOS)
		kfree(ses->serverNOS);

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
	if (ses->serverNOS)
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;

	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
	cFYI(1, ("ascii: bytes left %d", bleft));

	return rc;
}

int
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
		const struct nls_table *nls_cp)
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
	char *str_area;
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
	int resp_buf_type = 0;
	struct kvec iov[2];
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;

	if (ses == NULL)
		return -EINVAL;

	type = ses->server->secType;

	cFYI(1, ("sess setup type %d", type));
	if (type == LANMAN) {
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
	} else if ((type == NTLM) || (type == NTLMv2)) {
		/* For NTLMv2 failures eventually may need to retry NTLM */
		wct = 13; /* old style NTLM sessionsetup */
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
	if (rc)
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);

	/* we will send the SMB in two pieces,
	a fixed length beginning part, and a
	second part which will include the strings
	and rest of bcc area, in order to avoid having
	to do a large buffer 17K allocation */
	iov[0].iov_base = (char *)pSMB;
	iov[0].iov_len = smb_buf->smb_buf_length + 4;

	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
	bcc_ptr = str_area;

	ses->flags &= ~CIFS_SES_LANMAN;

	if (type == LANMAN) {
#ifdef CONFIG_CIFS_WEAK_PW_HASH
		char lnm_session_key[CIFS_SESS_KEY_SIZE];

		/* no capabilities flags in old lanman negotiation */

		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
		/* BB calculate hash with password */
		/* and copy into bcc */

		calc_lanman_hash(ses, lnm_session_key);
		ses->flags |= CIFS_SES_LANMAN;
/* #ifdef CONFIG_CIFS_DEBUG2
		cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
			CIFS_SESS_KEY_SIZE);
#endif */
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

		cFYI(1, ("Negotiating LANMAN setting up strings"));
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#endif
	} else if (type == NTLM) {
		char ntlm_session_key[CIFS_SESS_KEY_SIZE];

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
		pSMB->req_no_secext.CaseSensitivePasswordLength =
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
	
		/* calculate session key */
		SMBNTencrypt(ses->password, ses->server->cryptKey,
			     ntlm_session_key);

		if (first_time) /* should this be moved into common code
				  with similar ntlmv2 path? */
			cifs_calculate_mac_key(ses->server->mac_signing_key,
				ntlm_session_key, ses->password);
		/* copy session key */

		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
		} else
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
		char *v2_sess_key =
			kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);

		/* BB FIXME change all users of v2_sess_key to
		   struct ntlmv2_resp */

		if (v2_sess_key == NULL) {
			cifs_small_buf_release(smb_buf);
			return -ENOMEM;
		}

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
		/*	cpu_to_le16(LM2_SESS_KEY_SIZE); */

		pSMB->req_no_secext.CaseSensitivePasswordLength =
			cpu_to_le16(sizeof(struct ntlmv2_resp));

		/* calculate session key */
		setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
		if (first_time) /* should this be moved into common code
				   with similar ntlmv2 path? */
		/*   cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
				response BB FIXME, v2_sess_key); */

		/* copy session key */

	/*	memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
		bcc_ptr += LM2_SESS_KEY_SIZE; */
		memcpy(bcc_ptr, (char *)v2_sess_key, sizeof(struct ntlmv2_resp));
		bcc_ptr += sizeof(struct ntlmv2_resp);
		kfree(v2_sess_key);
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
			}	bcc_ptr++;
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
		} else
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else /* NTLMSSP or SPNEGO */ {
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
		/* BB set password lengths */
	}

	count = (long) bcc_ptr - (long) str_area;
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

	iov[1].iov_base = str_area;
	iov[1].iov_len = count;
	rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
	/* SMB request buf freed in SendReceive2 */

	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
	if (rc)
		goto ssetup_exit;

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
		rc = -EIO;
		cERROR(1, ("bad word count %d", smb_buf->WordCount));
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
		cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
	cFYI(1, ("UID = %d ", ses->Suid));
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

	if (smb_buf->WordCount == 4) {
		__u16 blob_len;
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
		bcc_ptr += blob_len;
		if (blob_len > bytes_remaining) {
			cERROR(1, ("bad security blob length %d", blob_len));
			rc = -EINVAL;
			goto ssetup_exit;
		}
		bytes_remaining -= blob_len;
	}

	/* BB check if Unicode and decode strings */
	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
		rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
						   ses, nls_cp);
	else
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
	
ssetup_exit:
	kfree(str_area);
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
		cFYI(1, ("ssetup freeing small buf %p", iov[0].iov_base));
		cifs_small_buf_release(iov[0].iov_base);
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
		cifs_buf_release(iov[0].iov_base);

	return rc;
}
Commit	Line	Data
3979877e SF	1	/*
	2	* fs/cifs/sess.c
	3	*
	4	* SMB/CIFS session setup handling routines
	5	*
790fe579	6	* Copyright (c) International Business Machines Corp., 2006, 2007
3979877e SF	7	* Author(s): Steve French (sfrench@us.ibm.com)
	8	*
	9	* This library is free software; you can redistribute it and/or modify
	10	* it under the terms of the GNU Lesser General Public License as published
	11	* by the Free Software Foundation; either version 2.1 of the License, or
	12	* (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	17	* the GNU Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public License
	20	* along with this library; if not, write to the Free Software
	21	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	22	*/
	23
	24	#include "cifspdu.h"
	25	#include "cifsglob.h"
	26	#include "cifsproto.h"
	27	#include "cifs_unicode.h"
	28	#include "cifs_debug.h"
	29	#include "ntlmssp.h"
	30	#include "nterr.h"
9c53588e	31	#include <linux/utsname.h>
3979877e	32
3979877e	33	extern void SMBNTencrypt(unsigned char passwd, unsigned char c8,
790fe579	34	unsigned char *p24);
3979877e	35
3979877e SF	36	static __u32 cifs_ssetup_hdr(struct cifsSesInfo ses, SESSION_SETUP_ANDX pSMB)
	37	{
	38	__u32 capabilities = 0;
	39
	40	/* init fields common to all four types of SessSetup */
	41	/* note that header is initialized to zero in header_assemble */
	42	pSMB->req.AndXCommand = 0xFF;
	43	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	44	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);
	45
	46	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
	47
790fe579	48	/* BB verify whether signing required on neg or just on auth frame
3979877e SF	49	(and NTLM case) */
	50
	51	capabilities = CAP_LARGE_FILES \| CAP_NT_SMBS \| CAP_LEVEL_II_OPLOCKS \|
	52	CAP_LARGE_WRITE_X \| CAP_LARGE_READ_X;
	53
790fe579 SF	54	if (ses->server->secMode &
790fe579 SF	55	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
3979877e SF	56	pSMB->req.hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
	57
	58	if (ses->capabilities & CAP_UNICODE) {
	59	pSMB->req.hdr.Flags2 \|= SMBFLG2_UNICODE;
	60	capabilities \|= CAP_UNICODE;
	61	}
	62	if (ses->capabilities & CAP_STATUS32) {
	63	pSMB->req.hdr.Flags2 \|= SMBFLG2_ERR_STATUS;
	64	capabilities \|= CAP_STATUS32;
	65	}
	66	if (ses->capabilities & CAP_DFS) {
	67	pSMB->req.hdr.Flags2 \|= SMBFLG2_DFS;
	68	capabilities \|= CAP_DFS;
	69	}
	70	if (ses->capabilities & CAP_UNIX) {
	71	capabilities \|= CAP_UNIX;
	72	}
	73
	74	/* BB check whether to init vcnum BB */
	75	return capabilities;
	76	}
	77
7c7b25bc	78	static void unicode_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
790fe579	79	const struct nls_table *nls_cp)
3979877e	80	{
790fe579	81	char bcc_ptr = pbcc_area;
3979877e SF	82	int bytes_ret = 0;
	83
	84	/* BB FIXME add check that strings total less
	85	than 335 or will need to send them as arrays */
	86
0223cf0b SF	87	/* unicode strings, must be word aligned before the call */
0223cf0b SF	88	/* if ((long) bcc_ptr % 2) {
3979877e SF	89	*bcc_ptr = 0;
3979877e SF	90	bcc_ptr++;
0223cf0b	91	} */
3979877e	92	/* copy user */
790fe579	93	if (ses->userName == NULL) {
6e659c63 SF	94	/* null user mount */
	95	*bcc_ptr = 0;
	96	*(bcc_ptr+1) = 0;
3979877e SF	97	} else { /* 300 should be long enough for any conceivable user name */
	98	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
	99	300, nls_cp);
	100	}
	101	bcc_ptr += 2 * bytes_ret;
	102	bcc_ptr += 2; /* account for null termination */
	103	/* copy domain */
790fe579	104	if (ses->domainName == NULL) {
6e659c63 SF	105	/* Sending null domain better than using a bogus domain name (as
	106	we did briefly in 2.6.18) since server will use its default */
	107	*bcc_ptr = 0;
	108	*(bcc_ptr+1) = 0;
	109	bytes_ret = 0;
	110	} else
3979877e SF	111	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
	112	256, nls_cp);
	113	bcc_ptr += 2 * bytes_ret;
	114	bcc_ptr += 2; /* account for null terminator */
	115
	116	/* Copy OS version */
	117	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
	118	nls_cp);
	119	bcc_ptr += 2 * bytes_ret;
96b644bd	120	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
3979877e SF	121	32, nls_cp);
	122	bcc_ptr += 2 * bytes_ret;
	123	bcc_ptr += 2; /* trailing null */
	124
	125	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
790fe579	126	32, nls_cp);
3979877e SF	127	bcc_ptr += 2 * bytes_ret;
	128	bcc_ptr += 2; /* trailing null */
	129
	130	*pbcc_area = bcc_ptr;
	131	}
	132
7c7b25bc	133	static void ascii_ssetup_strings(char ** pbcc_area, struct cifsSesInfo *ses,
790fe579	134	const struct nls_table *nls_cp)
3979877e	135	{
790fe579	136	char bcc_ptr = pbcc_area;
3979877e SF	137
	138	/* copy user */
	139	/* BB what about null user mounts - check that we do this BB */
790fe579 SF	140	/* copy user */
	141	if (ses->userName == NULL) {
	142	/* BB what about null user mounts - check that we do this BB */
	143	} else { /* 300 should be long enough for any conceivable user name */
	144	strncpy(bcc_ptr, ses->userName, 300);
	145	}
3979877e	146	/* BB improve check for overflow */
790fe579	147	bcc_ptr += strnlen(ses->userName, 300);
3979877e	148	*bcc_ptr = 0;
790fe579	149	bcc_ptr++; /* account for null termination */
3979877e	150
790fe579 SF	151	/* copy domain */
	152
	153	if (ses->domainName != NULL) {
	154	strncpy(bcc_ptr, ses->domainName, 256);
3979877e	155	bcc_ptr += strnlen(ses->domainName, 256);
790fe579	156	} /* else we will send a null domain name
6e659c63	157	so the server will default to its own domain */
3979877e SF	158	*bcc_ptr = 0;
	159	bcc_ptr++;
	160
	161	/* BB check for overflow here */
	162
	163	strcpy(bcc_ptr, "Linux version ");
	164	bcc_ptr += strlen("Linux version ");
96b644bd SH	165	strcpy(bcc_ptr, init_utsname()->release);
96b644bd SH	166	bcc_ptr += strlen(init_utsname()->release) + 1;
3979877e SF	167
	168	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	169	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
	170
790fe579	171	*pbcc_area = bcc_ptr;
3979877e SF	172	}
3979877e SF	173
790fe579 SF	174	static int decode_unicode_ssetup(char **pbcc_area, int bleft,
	175	struct cifsSesInfo *ses,
	176	const struct nls_table *nls_cp)
3979877e SF	177	{
	178	int rc = 0;
	179	int words_left, len;
790fe579	180	char data = pbcc_area;
3979877e SF	181
	182
	183
790fe579	184	cFYI(1, ("bleft %d", bleft));
3979877e SF	185
3979877e SF	186
8e6f195a SF	187	/* SMB header is unaligned, so cifs servers word align start of
	188	Unicode strings */
	189	data++;
	190	bleft--; /* Windows servers do not always double null terminate
	191	their final Unicode string - in which case we
	192	now will not attempt to decode the byte of junk
	193	which follows it */
	194
3979877e SF	195	words_left = bleft / 2;
	196
	197	/* save off server operating system */
	198	len = UniStrnlen((wchar_t *) data, words_left);
	199
	200	/* We look for obvious messed up bcc or strings in response so we do not go off
	201	the end since (at least) WIN2K and Windows XP have a major bug in not null
	202	terminating last Unicode string in response */
790fe579	203	if (len >= words_left)
3979877e SF	204	return rc;
3979877e SF	205
790fe579	206	if (ses->serverOS)
3979877e SF	207	kfree(ses->serverOS);
	208	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	209	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
790fe579	210	if (ses->serverOS != NULL) {
3979877e SF	211	cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len,
	212	nls_cp);
	213	}
	214	data += 2 * (len + 1);
	215	words_left -= len + 1;
	216
	217	/* save off server network operating system */
	218	len = UniStrnlen((wchar_t *) data, words_left);
	219
790fe579	220	if (len >= words_left)
3979877e SF	221	return rc;
3979877e SF	222
790fe579	223	if (ses->serverNOS)
3979877e SF	224	kfree(ses->serverNOS);
3979877e SF	225	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
790fe579	226	if (ses->serverNOS != NULL) {
3979877e SF	227	cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
3979877e SF	228	nls_cp);
790fe579 SF	229	if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
790fe579 SF	230	cFYI(1, ("NT4 server"));
3979877e SF	231	ses->flags \|= CIFS_SES_NT4;
	232	}
	233	}
	234	data += 2 * (len + 1);
	235	words_left -= len + 1;
	236
790fe579 SF	237	/* save off server domain */
	238	len = UniStrnlen((wchar_t *) data, words_left);
	239
	240	if (len > words_left)
	241	return rc;
	242
	243	if (ses->serverDomain)
	244	kfree(ses->serverDomain);
	245	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
	246	if (ses->serverDomain != NULL) {
	247	cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
	248	nls_cp);
	249	ses->serverDomain[2*len] = 0;
	250	ses->serverDomain[(2*len) + 1] = 0;
	251	}
	252	data += 2 * (len + 1);
	253	words_left -= len + 1;
	254
	255	cFYI(1, ("words left: %d", words_left));
3979877e SF	256
	257	return rc;
	258	}
	259
790fe579 SF	260	static int decode_ascii_ssetup(char **pbcc_area, int bleft,
	261	struct cifsSesInfo *ses,
	262	const struct nls_table *nls_cp)
3979877e SF	263	{
	264	int rc = 0;
	265	int len;
790fe579	266	char bcc_ptr = pbcc_area;
3979877e	267
790fe579	268	cFYI(1, ("decode sessetup ascii. bleft %d", bleft));
3979877e SF	269
3979877e SF	270	len = strnlen(bcc_ptr, bleft);
790fe579	271	if (len >= bleft)
3979877e SF	272	return rc;
3979877e SF	273
790fe579	274	if (ses->serverOS)
3979877e SF	275	kfree(ses->serverOS);
	276
	277	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
790fe579	278	if (ses->serverOS)
3979877e	279	strncpy(ses->serverOS, bcc_ptr, len);
790fe579 SF	280	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
790fe579 SF	281	cFYI(1, ("OS/2 server"));
9ac00b7d SF	282	ses->flags \|= CIFS_SES_OS2;
9ac00b7d SF	283	}
3979877e SF	284
	285	bcc_ptr += len + 1;
	286	bleft -= len + 1;
	287
	288	len = strnlen(bcc_ptr, bleft);
790fe579	289	if (len >= bleft)
3979877e SF	290	return rc;
3979877e SF	291
790fe579	292	if (ses->serverNOS)
3979877e SF	293	kfree(ses->serverNOS);
	294
	295	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
790fe579	296	if (ses->serverNOS)
3979877e SF	297	strncpy(ses->serverNOS, bcc_ptr, len);
	298
	299	bcc_ptr += len + 1;
	300	bleft -= len + 1;
	301
790fe579 SF	302	len = strnlen(bcc_ptr, bleft);
	303	if (len > bleft)
	304	return rc;
3979877e	305
9ac00b7d SF	306	/* No domain field in LANMAN case. Domain is
	307	returned by old servers in the SMB negprot response */
	308	/* BB For newer servers which do not support Unicode,
	309	but thus do return domain here we could add parsing
	310	for it later, but it is not very important */
790fe579	311	cFYI(1, ("ascii: bytes left %d", bleft));
3979877e SF	312
	313	return rc;
	314	}
	315
790fe579	316	int
3979877e SF	317	CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
	318	const struct nls_table *nls_cp)
	319	{
	320	int rc = 0;
	321	int wct;
3979877e SF	322	struct smb_hdr *smb_buf;
3979877e SF	323	char *bcc_ptr;
750d1151	324	char *str_area;
3979877e SF	325	SESSION_SETUP_ANDX *pSMB;
	326	__u32 capabilities;
	327	int count;
	328	int resp_buf_type = 0;
750d1151	329	struct kvec iov[2];
3979877e SF	330	enum securityEnum type;
	331	__u16 action;
	332	int bytes_remaining;
254e55ed	333
790fe579	334	if (ses == NULL)
3979877e SF	335	return -EINVAL;
	336
	337	type = ses->server->secType;
f40c5628	338
790fe579 SF	339	cFYI(1, ("sess setup type %d", type));
790fe579 SF	340	if (type == LANMAN) {
3979877e SF	341	#ifndef CONFIG_CIFS_WEAK_PW_HASH
	342	/* LANMAN and plaintext are less secure and off by default.
	343	So we make this explicitly be turned on in kconfig (in the
	344	build) and turned on at runtime (changed from the default)
	345	in proc/fs/cifs or via mount parm. Unfortunately this is
	346	needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
	347	return -EOPNOTSUPP;
	348	#endif
	349	wct = 10; /* lanman 2 style sessionsetup */
790fe579	350	} else if ((type == NTLM) \|\| (type == NTLMv2)) {
9312f675	351	/* For NTLMv2 failures eventually may need to retry NTLM */
3979877e	352	wct = 13; /* old style NTLM sessionsetup */
790fe579	353	} else /* same size: negotiate or auth, NTLMSSP or extended security */
3979877e SF	354	wct = 12;
	355
	356	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
	357	(void **)&smb_buf);
790fe579	358	if (rc)
3979877e SF	359	return rc;
	360
	361	pSMB = (SESSION_SETUP_ANDX *)smb_buf;
	362
	363	capabilities = cifs_ssetup_hdr(ses, pSMB);
750d1151 SF	364
	365	/* we will send the SMB in two pieces,
	366	a fixed length beginning part, and a
	367	second part which will include the strings
	368	and rest of bcc area, in order to avoid having
	369	to do a large buffer 17K allocation */
790fe579 SF	370	iov[0].iov_base = (char *)pSMB;
790fe579 SF	371	iov[0].iov_len = smb_buf->smb_buf_length + 4;
750d1151 SF	372
	373	/* 2000 big enough to fit max user, domain, NOS name etc. */
	374	str_area = kmalloc(2000, GFP_KERNEL);
	375	bcc_ptr = str_area;
3979877e	376
9ac00b7d SF	377	ses->flags &= ~CIFS_SES_LANMAN;
9ac00b7d SF	378
790fe579	379	if (type == LANMAN) {
3979877e	380	#ifdef CONFIG_CIFS_WEAK_PW_HASH
7c7b25bc	381	char lnm_session_key[CIFS_SESS_KEY_SIZE];
3979877e SF	382
	383	/* no capabilities flags in old lanman negotiation */
	384
790fe579	385	pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e SF	386	/* BB calculate hash with password */
	387	/* and copy into bcc */
	388
7c7b25bc	389	calc_lanman_hash(ses, lnm_session_key);
790fe579	390	ses->flags \|= CIFS_SES_LANMAN;
750d1151	391	/* #ifdef CONFIG_CIFS_DEBUG2
3979877e	392	cifs_dump_mem("cryptkey: ",ses->server->cryptKey,
7c7b25bc	393	CIFS_SESS_KEY_SIZE);
750d1151	394	#endif */
7c7b25bc SF	395	memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc SF	396	bcc_ptr += CIFS_SESS_KEY_SIZE;
3979877e SF	397
	398	/* can not sign if LANMAN negotiated so no need
	399	to calculate signing key? but what if server
	400	changed to do higher than lanman dialect and
	401	we reconnected would we ever calc signing_key? */
	402
790fe579	403	cFYI(1, ("Negotiating LANMAN setting up strings"));
3979877e SF	404	/* Unicode not allowed for LANMAN dialects */
3979877e SF	405	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
790fe579	406	#endif
3979877e	407	} else if (type == NTLM) {
7c7b25bc	408	char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3979877e SF	409
	410	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
	411	pSMB->req_no_secext.CaseInsensitivePasswordLength =
7c7b25bc	412	cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e	413	pSMB->req_no_secext.CaseSensitivePasswordLength =
7c7b25bc	414	cpu_to_le16(CIFS_SESS_KEY_SIZE);
3979877e SF	415
	416	/* calculate session key */
	417	SMBNTencrypt(ses->password, ses->server->cryptKey,
	418	ntlm_session_key);
	419
790fe579	420	if (first_time) /* should this be moved into common code
3979877e	421	with similar ntlmv2 path? */
750d1151	422	cifs_calculate_mac_key(ses->server->mac_signing_key,
3979877e SF	423	ntlm_session_key, ses->password);
	424	/* copy session key */
	425
790fe579	426	memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc	427	bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579	428	memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
7c7b25bc	429	bcc_ptr += CIFS_SESS_KEY_SIZE;
790fe579	430	if (ses->capabilities & CAP_UNICODE) {
0223cf0b SF	431	/* unicode strings must be word aligned */
	432	if (iov[0].iov_len % 2) {
	433	*bcc_ptr = 0;
790fe579 SF	434	bcc_ptr++;
790fe579 SF	435	}
7c7b25bc	436	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b	437	} else
7c7b25bc SF	438	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
7c7b25bc SF	439	} else if (type == NTLMv2) {
790fe579	440	char *v2_sess_key =
6d027cfd	441	kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
f64b23ae SF	442
	443	/* BB FIXME change all users of v2_sess_key to
	444	struct ntlmv2_resp */
7c7b25bc	445
790fe579	446	if (v2_sess_key == NULL) {
7c7b25bc SF	447	cifs_small_buf_release(smb_buf);
	448	return -ENOMEM;
	449	}
	450
	451	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
	452
	453	/* LM2 password would be here if we supported it */
	454	pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
	455	/* cpu_to_le16(LM2_SESS_KEY_SIZE); */
	456
	457	pSMB->req_no_secext.CaseSensitivePasswordLength =
f64b23ae	458	cpu_to_le16(sizeof(struct ntlmv2_resp));
7c7b25bc SF	459
7c7b25bc SF	460	/* calculate session key */
1717ffc5	461	setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
790fe579 SF	462	if (first_time) /* should this be moved into common code
790fe579 SF	463	with similar ntlmv2 path? */
7c7b25bc SF	464	/* cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
	465	response BB FIXME, v2_sess_key); */
	466
	467	/* copy session key */
	468
	469	/* memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
	470	bcc_ptr += LM2_SESS_KEY_SIZE; */
f64b23ae SF	471	memcpy(bcc_ptr, (char *)v2_sess_key, sizeof(struct ntlmv2_resp));
	472	bcc_ptr += sizeof(struct ntlmv2_resp);
	473	kfree(v2_sess_key);
790fe579 SF	474	if (ses->capabilities & CAP_UNICODE) {
790fe579 SF	475	if (iov[0].iov_len % 2) {
0223cf0b SF	476	*bcc_ptr = 0;
0223cf0b SF	477	} bcc_ptr++;
3979877e	478	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
0223cf0b	479	} else
3979877e SF	480	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	481	} else /* NTLMSSP or SPNEGO */ {
	482	pSMB->req.hdr.Flags2 \|= SMBFLG2_EXT_SEC;
	483	capabilities \|= CAP_EXTENDED_SECURITY;
	484	pSMB->req.Capabilities = cpu_to_le32(capabilities);
	485	/* BB set password lengths */
	486	}
	487
750d1151	488	count = (long) bcc_ptr - (long) str_area;
3979877e SF	489	smb_buf->smb_buf_length += count;
3979877e SF	490
3979877e SF	491	BCC_LE(smb_buf) = cpu_to_le16(count);
3979877e SF	492
750d1151	493	iov[1].iov_base = str_area;
790fe579	494	iov[1].iov_len = count;
750d1151	495	rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0);
3979877e SF	496	/* SMB request buf freed in SendReceive2 */
3979877e SF	497
790fe579 SF	498	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
790fe579 SF	499	if (rc)
3979877e SF	500	goto ssetup_exit;
	501
	502	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	503	smb_buf = (struct smb_hdr *)iov[0].iov_base;
	504
790fe579	505	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
3979877e	506	rc = -EIO;
790fe579	507	cERROR(1, ("bad word count %d", smb_buf->WordCount));
3979877e SF	508	goto ssetup_exit;
	509	}
	510	action = le16_to_cpu(pSMB->resp.Action);
	511	if (action & GUEST_LOGIN)
189acaae	512	cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
3979877e SF	513	ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
	514	cFYI(1, ("UID = %d ", ses->Suid));
	515	/* response can have either 3 or 4 word count - Samba sends 3 */
	516	/* and lanman response is 3 */
	517	bytes_remaining = BCC(smb_buf);
	518	bcc_ptr = pByteArea(smb_buf);
	519
790fe579	520	if (smb_buf->WordCount == 4) {
3979877e SF	521	__u16 blob_len;
	522	blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
	523	bcc_ptr += blob_len;
790fe579 SF	524	if (blob_len > bytes_remaining) {
790fe579 SF	525	cERROR(1, ("bad security blob length %d", blob_len));
3979877e SF	526	rc = -EINVAL;
	527	goto ssetup_exit;
	528	}
	529	bytes_remaining -= blob_len;
790fe579	530	}
3979877e SF	531
3979877e SF	532	/* BB check if Unicode and decode strings */
790fe579	533	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
3979877e SF	534	rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
	535	ses, nls_cp);
	536	else
	537	rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
	538
	539	ssetup_exit:
750d1151	540	kfree(str_area);
790fe579 SF	541	if (resp_buf_type == CIFS_SMALL_BUFFER) {
790fe579 SF	542	cFYI(1, ("ssetup freeing small buf %p", iov[0].iov_base));
3979877e	543	cifs_small_buf_release(iov[0].iov_base);
790fe579	544	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
3979877e SF	545	cifs_buf_release(iov[0].iov_base);
	546
	547	return rc;
	548	}