smb2transport.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562
  1. /*
  2. * fs/cifs/smb2transport.c
  3. *
  4. * Copyright (C) International Business Machines Corp., 2002, 2011
  5. * Etersoft, 2012
  6. * Author(s): Steve French (sfrench@us.ibm.com)
  7. * Jeremy Allison (jra@samba.org) 2006
  8. * Pavel Shilovsky (pshilovsky@samba.org) 2012
  9. *
  10. * This library is free software; you can redistribute it and/or modify
  11. * it under the terms of the GNU Lesser General Public License as published
  12. * by the Free Software Foundation; either version 2.1 of the License, or
  13. * (at your option) any later version.
  14. *
  15. * This library is distributed in the hope that it will be useful,
  16. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
  18. * the GNU Lesser General Public License for more details.
  19. *
  20. * You should have received a copy of the GNU Lesser General Public License
  21. * along with this library; if not, write to the Free Software
  22. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  23. */
  24. #include <linux/fs.h>
  25. #include <linux/list.h>
  26. #include <linux/wait.h>
  27. #include <linux/net.h>
  28. #include <linux/delay.h>
  29. #include <linux/uaccess.h>
  30. #include <asm/processor.h>
  31. #include <linux/mempool.h>
  32. #include <linux/highmem.h>
  33. #include "smb2pdu.h"
  34. #include "cifsglob.h"
  35. #include "cifsproto.h"
  36. #include "smb2proto.h"
  37. #include "cifs_debug.h"
  38. #include "smb2status.h"
  39. #include "smb2glob.h"
  40. static int
  41. smb2_crypto_shash_allocate(struct TCP_Server_Info *server)
  42. {
  43. unsigned int size;
  44. if (server->secmech.sdeschmacsha256 != NULL)
  45. return 0; /* already allocated */
  46. server->secmech.hmacsha256 = crypto_alloc_shash("hmac(sha256)", 0, 0);
  47. if (IS_ERR(server->secmech.hmacsha256)) {
  48. cifs_dbg(VFS, "could not allocate crypto hmacsha256\n");
  49. return PTR_ERR(server->secmech.hmacsha256);
  50. }
  51. size = sizeof(struct shash_desc) +
  52. crypto_shash_descsize(server->secmech.hmacsha256);
  53. server->secmech.sdeschmacsha256 = kmalloc(size, GFP_KERNEL);
  54. if (!server->secmech.sdeschmacsha256) {
  55. crypto_free_shash(server->secmech.hmacsha256);
  56. server->secmech.hmacsha256 = NULL;
  57. return -ENOMEM;
  58. }
  59. server->secmech.sdeschmacsha256->shash.tfm = server->secmech.hmacsha256;
  60. server->secmech.sdeschmacsha256->shash.flags = 0x0;
  61. return 0;
  62. }
  63. static int
  64. smb3_crypto_shash_allocate(struct TCP_Server_Info *server)
  65. {
  66. unsigned int size;
  67. int rc;
  68. if (server->secmech.sdesccmacaes != NULL)
  69. return 0; /* already allocated */
  70. rc = smb2_crypto_shash_allocate(server);
  71. if (rc)
  72. return rc;
  73. server->secmech.cmacaes = crypto_alloc_shash("cmac(aes)", 0, 0);
  74. if (IS_ERR(server->secmech.cmacaes)) {
  75. cifs_dbg(VFS, "could not allocate crypto cmac-aes");
  76. kfree(server->secmech.sdeschmacsha256);
  77. server->secmech.sdeschmacsha256 = NULL;
  78. crypto_free_shash(server->secmech.hmacsha256);
  79. server->secmech.hmacsha256 = NULL;
  80. return PTR_ERR(server->secmech.cmacaes);
  81. }
  82. size = sizeof(struct shash_desc) +
  83. crypto_shash_descsize(server->secmech.cmacaes);
  84. server->secmech.sdesccmacaes = kmalloc(size, GFP_KERNEL);
  85. if (!server->secmech.sdesccmacaes) {
  86. cifs_dbg(VFS, "%s: Can't alloc cmacaes\n", __func__);
  87. kfree(server->secmech.sdeschmacsha256);
  88. server->secmech.sdeschmacsha256 = NULL;
  89. crypto_free_shash(server->secmech.hmacsha256);
  90. crypto_free_shash(server->secmech.cmacaes);
  91. server->secmech.hmacsha256 = NULL;
  92. server->secmech.cmacaes = NULL;
  93. return -ENOMEM;
  94. }
  95. server->secmech.sdesccmacaes->shash.tfm = server->secmech.cmacaes;
  96. server->secmech.sdesccmacaes->shash.flags = 0x0;
  97. return 0;
  98. }
  99. int
  100. smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  101. {
  102. int i, rc;
  103. unsigned char smb2_signature[SMB2_HMACSHA256_SIZE];
  104. unsigned char *sigptr = smb2_signature;
  105. struct kvec *iov = rqst->rq_iov;
  106. int n_vec = rqst->rq_nvec;
  107. struct smb2_hdr *smb2_pdu = (struct smb2_hdr *)iov[0].iov_base;
  108. memset(smb2_signature, 0x0, SMB2_HMACSHA256_SIZE);
  109. memset(smb2_pdu->Signature, 0x0, SMB2_SIGNATURE_SIZE);
  110. rc = smb2_crypto_shash_allocate(server);
  111. if (rc) {
  112. cifs_dbg(VFS, "%s: shah256 alloc failed\n", __func__);
  113. return rc;
  114. }
  115. rc = crypto_shash_setkey(server->secmech.hmacsha256,
  116. server->session_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
  117. if (rc) {
  118. cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
  119. return rc;
  120. }
  121. rc = crypto_shash_init(&server->secmech.sdeschmacsha256->shash);
  122. if (rc) {
  123. cifs_dbg(VFS, "%s: Could not init sha256", __func__);
  124. return rc;
  125. }
  126. for (i = 0; i < n_vec; i++) {
  127. if (iov[i].iov_len == 0)
  128. continue;
  129. if (iov[i].iov_base == NULL) {
  130. cifs_dbg(VFS, "null iovec entry\n");
  131. return -EIO;
  132. }
  133. /*
  134. * The first entry includes a length field (which does not get
  135. * signed that occupies the first 4 bytes before the header).
  136. */
  137. if (i == 0) {
  138. if (iov[0].iov_len <= 8) /* cmd field at offset 9 */
  139. break; /* nothing to sign or corrupt header */
  140. rc =
  141. crypto_shash_update(
  142. &server->secmech.sdeschmacsha256->shash,
  143. iov[i].iov_base + 4, iov[i].iov_len - 4);
  144. } else {
  145. rc =
  146. crypto_shash_update(
  147. &server->secmech.sdeschmacsha256->shash,
  148. iov[i].iov_base, iov[i].iov_len);
  149. }
  150. if (rc) {
  151. cifs_dbg(VFS, "%s: Could not update with payload\n",
  152. __func__);
  153. return rc;
  154. }
  155. }
  156. /* now hash over the rq_pages array */
  157. for (i = 0; i < rqst->rq_npages; i++) {
  158. struct kvec p_iov;
  159. cifs_rqst_page_to_kvec(rqst, i, &p_iov);
  160. crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  161. p_iov.iov_base, p_iov.iov_len);
  162. kunmap(rqst->rq_pages[i]);
  163. }
  164. rc = crypto_shash_final(&server->secmech.sdeschmacsha256->shash,
  165. sigptr);
  166. if (rc)
  167. cifs_dbg(VFS, "%s: Could not generate sha256 hash\n", __func__);
  168. memcpy(smb2_pdu->Signature, sigptr, SMB2_SIGNATURE_SIZE);
  169. return rc;
  170. }
  171. void
  172. generate_smb3signingkey(struct TCP_Server_Info *server)
  173. {
  174. unsigned char zero = 0x0;
  175. __u8 i[4] = {0, 0, 0, 1};
  176. __u8 L[4] = {0, 0, 0, 128};
  177. int rc = 0;
  178. unsigned char prfhash[SMB2_HMACSHA256_SIZE];
  179. unsigned char *hashptr = prfhash;
  180. memset(prfhash, 0x0, SMB2_HMACSHA256_SIZE);
  181. memset(server->smb3signingkey, 0x0, SMB3_SIGNKEY_SIZE);
  182. rc = smb3_crypto_shash_allocate(server);
  183. if (rc) {
  184. cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
  185. goto smb3signkey_ret;
  186. }
  187. rc = crypto_shash_setkey(server->secmech.hmacsha256,
  188. server->session_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
  189. if (rc) {
  190. cifs_dbg(VFS, "%s: Could not set with session key\n", __func__);
  191. goto smb3signkey_ret;
  192. }
  193. rc = crypto_shash_init(&server->secmech.sdeschmacsha256->shash);
  194. if (rc) {
  195. cifs_dbg(VFS, "%s: Could not init sign hmac\n", __func__);
  196. goto smb3signkey_ret;
  197. }
  198. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  199. i, 4);
  200. if (rc) {
  201. cifs_dbg(VFS, "%s: Could not update with n\n", __func__);
  202. goto smb3signkey_ret;
  203. }
  204. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  205. "SMB2AESCMAC", 12);
  206. if (rc) {
  207. cifs_dbg(VFS, "%s: Could not update with label\n", __func__);
  208. goto smb3signkey_ret;
  209. }
  210. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  211. &zero, 1);
  212. if (rc) {
  213. cifs_dbg(VFS, "%s: Could not update with zero\n", __func__);
  214. goto smb3signkey_ret;
  215. }
  216. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  217. "SmbSign", 8);
  218. if (rc) {
  219. cifs_dbg(VFS, "%s: Could not update with context\n", __func__);
  220. goto smb3signkey_ret;
  221. }
  222. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  223. L, 4);
  224. if (rc) {
  225. cifs_dbg(VFS, "%s: Could not update with L\n", __func__);
  226. goto smb3signkey_ret;
  227. }
  228. rc = crypto_shash_final(&server->secmech.sdeschmacsha256->shash,
  229. hashptr);
  230. if (rc) {
  231. cifs_dbg(VFS, "%s: Could not generate sha256 hash\n", __func__);
  232. goto smb3signkey_ret;
  233. }
  234. memcpy(server->smb3signingkey, hashptr, SMB3_SIGNKEY_SIZE);
  235. smb3signkey_ret:
  236. return;
  237. }
  238. int
  239. smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  240. {
  241. int i, rc;
  242. unsigned char smb3_signature[SMB2_CMACAES_SIZE];
  243. unsigned char *sigptr = smb3_signature;
  244. struct kvec *iov = rqst->rq_iov;
  245. int n_vec = rqst->rq_nvec;
  246. struct smb2_hdr *smb2_pdu = (struct smb2_hdr *)iov[0].iov_base;
  247. memset(smb3_signature, 0x0, SMB2_CMACAES_SIZE);
  248. memset(smb2_pdu->Signature, 0x0, SMB2_SIGNATURE_SIZE);
  249. rc = crypto_shash_setkey(server->secmech.cmacaes,
  250. server->smb3signingkey, SMB2_CMACAES_SIZE);
  251. if (rc) {
  252. cifs_dbg(VFS, "%s: Could not set key for cmac aes\n", __func__);
  253. return rc;
  254. }
  255. /*
  256. * we already allocate sdesccmacaes when we init smb3 signing key,
  257. * so unlike smb2 case we do not have to check here if secmech are
  258. * initialized
  259. */
  260. rc = crypto_shash_init(&server->secmech.sdesccmacaes->shash);
  261. if (rc) {
  262. cifs_dbg(VFS, "%s: Could not init cmac aes\n", __func__);
  263. return rc;
  264. }
  265. for (i = 0; i < n_vec; i++) {
  266. if (iov[i].iov_len == 0)
  267. continue;
  268. if (iov[i].iov_base == NULL) {
  269. cifs_dbg(VFS, "null iovec entry");
  270. return -EIO;
  271. }
  272. /*
  273. * The first entry includes a length field (which does not get
  274. * signed that occupies the first 4 bytes before the header).
  275. */
  276. if (i == 0) {
  277. if (iov[0].iov_len <= 8) /* cmd field at offset 9 */
  278. break; /* nothing to sign or corrupt header */
  279. rc =
  280. crypto_shash_update(
  281. &server->secmech.sdesccmacaes->shash,
  282. iov[i].iov_base + 4, iov[i].iov_len - 4);
  283. } else {
  284. rc =
  285. crypto_shash_update(
  286. &server->secmech.sdesccmacaes->shash,
  287. iov[i].iov_base, iov[i].iov_len);
  288. }
  289. if (rc) {
  290. cifs_dbg(VFS, "%s: Couldn't update cmac aes with payload\n",
  291. __func__);
  292. return rc;
  293. }
  294. }
  295. /* now hash over the rq_pages array */
  296. for (i = 0; i < rqst->rq_npages; i++) {
  297. struct kvec p_iov;
  298. cifs_rqst_page_to_kvec(rqst, i, &p_iov);
  299. crypto_shash_update(&server->secmech.sdesccmacaes->shash,
  300. p_iov.iov_base, p_iov.iov_len);
  301. kunmap(rqst->rq_pages[i]);
  302. }
  303. rc = crypto_shash_final(&server->secmech.sdesccmacaes->shash,
  304. sigptr);
  305. if (rc)
  306. cifs_dbg(VFS, "%s: Could not generate cmac aes\n", __func__);
  307. memcpy(smb2_pdu->Signature, sigptr, SMB2_SIGNATURE_SIZE);
  308. return rc;
  309. }
  310. /* must be called with server->srv_mutex held */
  311. static int
  312. smb2_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  313. {
  314. int rc = 0;
  315. struct smb2_hdr *smb2_pdu = rqst->rq_iov[0].iov_base;
  316. if (!(smb2_pdu->Flags & SMB2_FLAGS_SIGNED) ||
  317. server->tcpStatus == CifsNeedNegotiate)
  318. return rc;
  319. if (!server->session_estab) {
  320. strncpy(smb2_pdu->Signature, "BSRSPYL", 8);
  321. return rc;
  322. }
  323. rc = server->ops->calc_signature(rqst, server);
  324. return rc;
  325. }
  326. int
  327. smb2_verify_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  328. {
  329. unsigned int rc;
  330. char server_response_sig[16];
  331. struct smb2_hdr *smb2_pdu = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
  332. if ((smb2_pdu->Command == SMB2_NEGOTIATE) ||
  333. (smb2_pdu->Command == SMB2_OPLOCK_BREAK) ||
  334. (!server->session_estab))
  335. return 0;
  336. /*
  337. * BB what if signatures are supposed to be on for session but
  338. * server does not send one? BB
  339. */
  340. /* Do not need to verify session setups with signature "BSRSPYL " */
  341. if (memcmp(smb2_pdu->Signature, "BSRSPYL ", 8) == 0)
  342. cifs_dbg(FYI, "dummy signature received for smb command 0x%x\n",
  343. smb2_pdu->Command);
  344. /*
  345. * Save off the origiginal signature so we can modify the smb and check
  346. * our calculated signature against what the server sent.
  347. */
  348. memcpy(server_response_sig, smb2_pdu->Signature, SMB2_SIGNATURE_SIZE);
  349. memset(smb2_pdu->Signature, 0, SMB2_SIGNATURE_SIZE);
  350. mutex_lock(&server->srv_mutex);
  351. rc = server->ops->calc_signature(rqst, server);
  352. mutex_unlock(&server->srv_mutex);
  353. if (rc)
  354. return rc;
  355. if (memcmp(server_response_sig, smb2_pdu->Signature,
  356. SMB2_SIGNATURE_SIZE))
  357. return -EACCES;
  358. else
  359. return 0;
  360. }
  361. /*
  362. * Set message id for the request. Should be called after wait_for_free_request
  363. * and when srv_mutex is held.
  364. */
  365. static inline void
  366. smb2_seq_num_into_buf(struct TCP_Server_Info *server, struct smb2_hdr *hdr)
  367. {
  368. hdr->MessageId = get_next_mid(server);
  369. }
  370. static struct mid_q_entry *
  371. smb2_mid_entry_alloc(const struct smb2_hdr *smb_buffer,
  372. struct TCP_Server_Info *server)
  373. {
  374. struct mid_q_entry *temp;
  375. if (server == NULL) {
  376. cifs_dbg(VFS, "Null TCP session in smb2_mid_entry_alloc\n");
  377. return NULL;
  378. }
  379. temp = mempool_alloc(cifs_mid_poolp, GFP_NOFS);
  380. if (temp == NULL)
  381. return temp;
  382. else {
  383. memset(temp, 0, sizeof(struct mid_q_entry));
  384. temp->mid = smb_buffer->MessageId; /* always LE */
  385. temp->pid = current->pid;
  386. temp->command = smb_buffer->Command; /* Always LE */
  387. temp->when_alloc = jiffies;
  388. temp->server = server;
  389. /*
  390. * The default is for the mid to be synchronous, so the
  391. * default callback just wakes up the current task.
  392. */
  393. temp->callback = cifs_wake_up_task;
  394. temp->callback_data = current;
  395. }
  396. atomic_inc(&midCount);
  397. temp->mid_state = MID_REQUEST_ALLOCATED;
  398. return temp;
  399. }
  400. static int
  401. smb2_get_mid_entry(struct cifs_ses *ses, struct smb2_hdr *buf,
  402. struct mid_q_entry **mid)
  403. {
  404. if (ses->server->tcpStatus == CifsExiting)
  405. return -ENOENT;
  406. if (ses->server->tcpStatus == CifsNeedReconnect) {
  407. cifs_dbg(FYI, "tcp session dead - return to caller to retry\n");
  408. return -EAGAIN;
  409. }
  410. if (ses->status != CifsGood) {
  411. /* check if SMB2 session is bad because we are setting it up */
  412. if ((buf->Command != SMB2_SESSION_SETUP) &&
  413. (buf->Command != SMB2_NEGOTIATE))
  414. return -EAGAIN;
  415. /* else ok - we are setting up session */
  416. }
  417. *mid = smb2_mid_entry_alloc(buf, ses->server);
  418. if (*mid == NULL)
  419. return -ENOMEM;
  420. spin_lock(&GlobalMid_Lock);
  421. list_add_tail(&(*mid)->qhead, &ses->server->pending_mid_q);
  422. spin_unlock(&GlobalMid_Lock);
  423. return 0;
  424. }
  425. int
  426. smb2_check_receive(struct mid_q_entry *mid, struct TCP_Server_Info *server,
  427. bool log_error)
  428. {
  429. unsigned int len = get_rfc1002_length(mid->resp_buf);
  430. struct kvec iov;
  431. struct smb_rqst rqst = { .rq_iov = &iov,
  432. .rq_nvec = 1 };
  433. iov.iov_base = (char *)mid->resp_buf;
  434. iov.iov_len = get_rfc1002_length(mid->resp_buf) + 4;
  435. dump_smb(mid->resp_buf, min_t(u32, 80, len));
  436. /* convert the length into a more usable form */
  437. if (len > 24 && server->sign) {
  438. int rc;
  439. rc = smb2_verify_signature(&rqst, server);
  440. if (rc)
  441. cifs_dbg(VFS, "SMB signature verification returned error = %d\n",
  442. rc);
  443. }
  444. return map_smb2_to_linux_error(mid->resp_buf, log_error);
  445. }
  446. struct mid_q_entry *
  447. smb2_setup_request(struct cifs_ses *ses, struct smb_rqst *rqst)
  448. {
  449. int rc;
  450. struct smb2_hdr *hdr = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
  451. struct mid_q_entry *mid;
  452. smb2_seq_num_into_buf(ses->server, hdr);
  453. rc = smb2_get_mid_entry(ses, hdr, &mid);
  454. if (rc)
  455. return ERR_PTR(rc);
  456. rc = smb2_sign_rqst(rqst, ses->server);
  457. if (rc) {
  458. cifs_delete_mid(mid);
  459. return ERR_PTR(rc);
  460. }
  461. return mid;
  462. }
  463. struct mid_q_entry *
  464. smb2_setup_async_request(struct TCP_Server_Info *server, struct smb_rqst *rqst)
  465. {
  466. int rc;
  467. struct smb2_hdr *hdr = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
  468. struct mid_q_entry *mid;
  469. smb2_seq_num_into_buf(server, hdr);
  470. mid = smb2_mid_entry_alloc(hdr, server);
  471. if (mid == NULL)
  472. return ERR_PTR(-ENOMEM);
  473. rc = smb2_sign_rqst(rqst, server);
  474. if (rc) {
  475. DeleteMidQEntry(mid);
  476. return ERR_PTR(rc);
  477. }
  478. return mid;
  479. }