smb2pdu.c 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125
  1. /*
  2. * fs/cifs/smb2pdu.c
  3. *
  4. * Copyright (C) International Business Machines Corp., 2009, 2011
  5. * Etersoft, 2012
  6. * Author(s): Steve French (sfrench@us.ibm.com)
  7. * Pavel Shilovsky (pshilovsky@samba.org) 2012
  8. *
  9. * Contains the routines for constructing the SMB2 PDUs themselves
  10. *
  11. * This library is free software; you can redistribute it and/or modify
  12. * it under the terms of the GNU Lesser General Public License as published
  13. * by the Free Software Foundation; either version 2.1 of the License, or
  14. * (at your option) any later version.
  15. *
  16. * This library is distributed in the hope that it will be useful,
  17. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
  19. * the GNU Lesser General Public License for more details.
  20. *
  21. * You should have received a copy of the GNU Lesser General Public License
  22. * along with this library; if not, write to the Free Software
  23. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  24. */
  25. /* SMB2 PDU handling routines here - except for leftovers (eg session setup) */
  26. /* Note that there are handle based routines which must be */
  27. /* treated slightly differently for reconnection purposes since we never */
  28. /* want to reuse a stale file handle and only the caller knows the file info */
  29. #include <linux/fs.h>
  30. #include <linux/kernel.h>
  31. #include <linux/vfs.h>
  32. #include <linux/uaccess.h>
  33. #include <linux/xattr.h>
  34. #include "smb2pdu.h"
  35. #include "cifsglob.h"
  36. #include "cifsacl.h"
  37. #include "cifsproto.h"
  38. #include "smb2proto.h"
  39. #include "cifs_unicode.h"
  40. #include "cifs_debug.h"
  41. #include "ntlmssp.h"
  42. #include "smb2status.h"
  43. /*
  44. * The following table defines the expected "StructureSize" of SMB2 requests
  45. * in order by SMB2 command. This is similar to "wct" in SMB/CIFS requests.
  46. *
  47. * Note that commands are defined in smb2pdu.h in le16 but the array below is
  48. * indexed by command in host byte order.
  49. */
  50. static const int smb2_req_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = {
  51. /* SMB2_NEGOTIATE */ 36,
  52. /* SMB2_SESSION_SETUP */ 25,
  53. /* SMB2_LOGOFF */ 4,
  54. /* SMB2_TREE_CONNECT */ 9,
  55. /* SMB2_TREE_DISCONNECT */ 4,
  56. /* SMB2_CREATE */ 57,
  57. /* SMB2_CLOSE */ 24,
  58. /* SMB2_FLUSH */ 24,
  59. /* SMB2_READ */ 49,
  60. /* SMB2_WRITE */ 49,
  61. /* SMB2_LOCK */ 48,
  62. /* SMB2_IOCTL */ 57,
  63. /* SMB2_CANCEL */ 4,
  64. /* SMB2_ECHO */ 4,
  65. /* SMB2_QUERY_DIRECTORY */ 33,
  66. /* SMB2_CHANGE_NOTIFY */ 32,
  67. /* SMB2_QUERY_INFO */ 41,
  68. /* SMB2_SET_INFO */ 33,
  69. /* SMB2_OPLOCK_BREAK */ 24 /* BB this is 36 for LEASE_BREAK variant */
  70. };
  71. static void
  72. smb2_hdr_assemble(struct smb2_hdr *hdr, __le16 smb2_cmd /* command */ ,
  73. const struct cifs_tcon *tcon)
  74. {
  75. struct smb2_pdu *pdu = (struct smb2_pdu *)hdr;
  76. char *temp = (char *)hdr;
  77. /* lookup word count ie StructureSize from table */
  78. __u16 parmsize = smb2_req_struct_sizes[le16_to_cpu(smb2_cmd)];
  79. /*
  80. * smaller than SMALL_BUFFER_SIZE but bigger than fixed area of
  81. * largest operations (Create)
  82. */
  83. memset(temp, 0, 256);
  84. /* Note this is only network field converted to big endian */
  85. hdr->smb2_buf_length = cpu_to_be32(parmsize + sizeof(struct smb2_hdr)
  86. - 4 /* RFC 1001 length field itself not counted */);
  87. hdr->ProtocolId[0] = 0xFE;
  88. hdr->ProtocolId[1] = 'S';
  89. hdr->ProtocolId[2] = 'M';
  90. hdr->ProtocolId[3] = 'B';
  91. hdr->StructureSize = cpu_to_le16(64);
  92. hdr->Command = smb2_cmd;
  93. hdr->CreditRequest = cpu_to_le16(2); /* BB make this dynamic */
  94. hdr->ProcessId = cpu_to_le32((__u16)current->tgid);
  95. if (!tcon)
  96. goto out;
  97. hdr->TreeId = tcon->tid;
  98. /* Uid is not converted */
  99. if (tcon->ses)
  100. hdr->SessionId = tcon->ses->Suid;
  101. /* BB check following DFS flags BB */
  102. /* BB do we have to add check for SHI1005_FLAGS_DFS_ROOT too? */
  103. if (tcon->share_flags & SHI1005_FLAGS_DFS)
  104. hdr->Flags |= SMB2_FLAGS_DFS_OPERATIONS;
  105. /* BB how does SMB2 do case sensitive? */
  106. /* if (tcon->nocase)
  107. hdr->Flags |= SMBFLG_CASELESS; */
  108. /* if (tcon->ses && tcon->ses->server &&
  109. (tcon->ses->server->sec_mode & SECMODE_SIGN_REQUIRED))
  110. hdr->Flags |= SMB2_FLAGS_SIGNED; */
  111. out:
  112. pdu->StructureSize2 = cpu_to_le16(parmsize);
  113. return;
  114. }
  115. static int
  116. smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
  117. {
  118. int rc = 0;
  119. struct nls_table *nls_codepage;
  120. struct cifs_ses *ses;
  121. struct TCP_Server_Info *server;
  122. /*
  123. * SMB2s NegProt, SessSetup, Logoff do not have tcon yet so
  124. * check for tcp and smb session status done differently
  125. * for those three - in the calling routine.
  126. */
  127. if (tcon == NULL)
  128. return rc;
  129. if (smb2_command == SMB2_TREE_CONNECT)
  130. return rc;
  131. if (tcon->tidStatus == CifsExiting) {
  132. /*
  133. * only tree disconnect, open, and write,
  134. * (and ulogoff which does not have tcon)
  135. * are allowed as we start force umount.
  136. */
  137. if ((smb2_command != SMB2_WRITE) &&
  138. (smb2_command != SMB2_CREATE) &&
  139. (smb2_command != SMB2_TREE_DISCONNECT)) {
  140. cFYI(1, "can not send cmd %d while umounting",
  141. smb2_command);
  142. return -ENODEV;
  143. }
  144. }
  145. if ((!tcon->ses) || (tcon->ses->status == CifsExiting) ||
  146. (!tcon->ses->server))
  147. return -EIO;
  148. ses = tcon->ses;
  149. server = ses->server;
  150. /*
  151. * Give demultiplex thread up to 10 seconds to reconnect, should be
  152. * greater than cifs socket timeout which is 7 seconds
  153. */
  154. while (server->tcpStatus == CifsNeedReconnect) {
  155. /*
  156. * Return to caller for TREE_DISCONNECT and LOGOFF and CLOSE
  157. * here since they are implicitly done when session drops.
  158. */
  159. switch (smb2_command) {
  160. /*
  161. * BB Should we keep oplock break and add flush to exceptions?
  162. */
  163. case SMB2_TREE_DISCONNECT:
  164. case SMB2_CANCEL:
  165. case SMB2_CLOSE:
  166. case SMB2_OPLOCK_BREAK:
  167. return -EAGAIN;
  168. }
  169. wait_event_interruptible_timeout(server->response_q,
  170. (server->tcpStatus != CifsNeedReconnect), 10 * HZ);
  171. /* are we still trying to reconnect? */
  172. if (server->tcpStatus != CifsNeedReconnect)
  173. break;
  174. /*
  175. * on "soft" mounts we wait once. Hard mounts keep
  176. * retrying until process is killed or server comes
  177. * back on-line
  178. */
  179. if (!tcon->retry) {
  180. cFYI(1, "gave up waiting on reconnect in smb_init");
  181. return -EHOSTDOWN;
  182. }
  183. }
  184. if (!tcon->ses->need_reconnect && !tcon->need_reconnect)
  185. return rc;
  186. nls_codepage = load_nls_default();
  187. /*
  188. * need to prevent multiple threads trying to simultaneously reconnect
  189. * the same SMB session
  190. */
  191. mutex_lock(&tcon->ses->session_mutex);
  192. rc = cifs_negotiate_protocol(0, tcon->ses);
  193. if (!rc && tcon->ses->need_reconnect)
  194. rc = cifs_setup_session(0, tcon->ses, nls_codepage);
  195. if (rc || !tcon->need_reconnect) {
  196. mutex_unlock(&tcon->ses->session_mutex);
  197. goto out;
  198. }
  199. cifs_mark_open_files_invalid(tcon);
  200. rc = SMB2_tcon(0, tcon->ses, tcon->treeName, tcon, nls_codepage);
  201. mutex_unlock(&tcon->ses->session_mutex);
  202. cFYI(1, "reconnect tcon rc = %d", rc);
  203. if (rc)
  204. goto out;
  205. atomic_inc(&tconInfoReconnectCount);
  206. /*
  207. * BB FIXME add code to check if wsize needs update due to negotiated
  208. * smb buffer size shrinking.
  209. */
  210. out:
  211. /*
  212. * Check if handle based operation so we know whether we can continue
  213. * or not without returning to caller to reset file handle.
  214. */
  215. /*
  216. * BB Is flush done by server on drop of tcp session? Should we special
  217. * case it and skip above?
  218. */
  219. switch (smb2_command) {
  220. case SMB2_FLUSH:
  221. case SMB2_READ:
  222. case SMB2_WRITE:
  223. case SMB2_LOCK:
  224. case SMB2_IOCTL:
  225. case SMB2_QUERY_DIRECTORY:
  226. case SMB2_CHANGE_NOTIFY:
  227. case SMB2_QUERY_INFO:
  228. case SMB2_SET_INFO:
  229. return -EAGAIN;
  230. }
  231. unload_nls(nls_codepage);
  232. return rc;
  233. }
  234. /*
  235. * Allocate and return pointer to an SMB request hdr, and set basic
  236. * SMB information in the SMB header. If the return code is zero, this
  237. * function must have filled in request_buf pointer.
  238. */
  239. static int
  240. small_smb2_init(__le16 smb2_command, struct cifs_tcon *tcon,
  241. void **request_buf)
  242. {
  243. int rc = 0;
  244. rc = smb2_reconnect(smb2_command, tcon);
  245. if (rc)
  246. return rc;
  247. /* BB eventually switch this to SMB2 specific small buf size */
  248. *request_buf = cifs_small_buf_get();
  249. if (*request_buf == NULL) {
  250. /* BB should we add a retry in here if not a writepage? */
  251. return -ENOMEM;
  252. }
  253. smb2_hdr_assemble((struct smb2_hdr *) *request_buf, smb2_command, tcon);
  254. if (tcon != NULL) {
  255. #ifdef CONFIG_CIFS_STATS2
  256. uint16_t com_code = le16_to_cpu(smb2_command);
  257. cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_sent[com_code]);
  258. #endif
  259. cifs_stats_inc(&tcon->num_smbs_sent);
  260. }
  261. return rc;
  262. }
  263. static void
  264. free_rsp_buf(int resp_buftype, void *rsp)
  265. {
  266. if (resp_buftype == CIFS_SMALL_BUFFER)
  267. cifs_small_buf_release(rsp);
  268. else if (resp_buftype == CIFS_LARGE_BUFFER)
  269. cifs_buf_release(rsp);
  270. }
  271. #define SMB2_NUM_PROT 1
  272. #define SMB2_PROT 0
  273. #define SMB21_PROT 1
  274. #define BAD_PROT 0xFFFF
  275. #define SMB2_PROT_ID 0x0202
  276. #define SMB21_PROT_ID 0x0210
  277. #define BAD_PROT_ID 0xFFFF
  278. static struct {
  279. int index;
  280. __le16 name;
  281. } smb2protocols[] = {
  282. {SMB2_PROT, cpu_to_le16(SMB2_PROT_ID)},
  283. {SMB21_PROT, cpu_to_le16(SMB21_PROT_ID)},
  284. {BAD_PROT, cpu_to_le16(BAD_PROT_ID)}
  285. };
  286. /*
  287. *
  288. * SMB2 Worker functions follow:
  289. *
  290. * The general structure of the worker functions is:
  291. * 1) Call smb2_init (assembles SMB2 header)
  292. * 2) Initialize SMB2 command specific fields in fixed length area of SMB
  293. * 3) Call smb_sendrcv2 (sends request on socket and waits for response)
  294. * 4) Decode SMB2 command specific fields in the fixed length area
  295. * 5) Decode variable length data area (if any for this SMB2 command type)
  296. * 6) Call free smb buffer
  297. * 7) return
  298. *
  299. */
  300. int
  301. SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
  302. {
  303. struct smb2_negotiate_req *req;
  304. struct smb2_negotiate_rsp *rsp;
  305. struct kvec iov[1];
  306. int rc = 0;
  307. int resp_buftype;
  308. struct TCP_Server_Info *server;
  309. unsigned int sec_flags;
  310. u16 i;
  311. u16 temp = 0;
  312. int blob_offset, blob_length;
  313. char *security_blob;
  314. int flags = CIFS_NEG_OP;
  315. cFYI(1, "Negotiate protocol");
  316. if (ses->server)
  317. server = ses->server;
  318. else {
  319. rc = -EIO;
  320. return rc;
  321. }
  322. rc = small_smb2_init(SMB2_NEGOTIATE, NULL, (void **) &req);
  323. if (rc)
  324. return rc;
  325. /* if any of auth flags (ie not sign or seal) are overriden use them */
  326. if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
  327. sec_flags = ses->overrideSecFlg; /* BB FIXME fix sign flags?*/
  328. else /* if override flags set only sign/seal OR them with global auth */
  329. sec_flags = global_secflags | ses->overrideSecFlg;
  330. cFYI(1, "sec_flags 0x%x", sec_flags);
  331. req->hdr.SessionId = 0;
  332. for (i = 0; i < SMB2_NUM_PROT; i++)
  333. req->Dialects[i] = smb2protocols[i].name;
  334. req->DialectCount = cpu_to_le16(i);
  335. inc_rfc1001_len(req, i * 2);
  336. /* only one of SMB2 signing flags may be set in SMB2 request */
  337. if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN)
  338. temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;
  339. else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */
  340. temp = SMB2_NEGOTIATE_SIGNING_ENABLED;
  341. req->SecurityMode = cpu_to_le16(temp);
  342. req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS);
  343. iov[0].iov_base = (char *)req;
  344. /* 4 for rfc1002 length field */
  345. iov[0].iov_len = get_rfc1002_length(req) + 4;
  346. rc = SendReceive2(xid, ses, iov, 1, &resp_buftype, flags);
  347. rsp = (struct smb2_negotiate_rsp *)iov[0].iov_base;
  348. /*
  349. * No tcon so can't do
  350. * cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_fail[SMB2...]);
  351. */
  352. if (rc != 0)
  353. goto neg_exit;
  354. if (rsp == NULL) {
  355. rc = -EIO;
  356. goto neg_exit;
  357. }
  358. cFYI(1, "mode 0x%x", rsp->SecurityMode);
  359. if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)
  360. cFYI(1, "negotiated smb2.1 dialect");
  361. else if (rsp->DialectRevision == smb2protocols[SMB2_PROT].name)
  362. cFYI(1, "negotiated smb2 dialect");
  363. else {
  364. cERROR(1, "Illegal dialect returned by server %d",
  365. le16_to_cpu(rsp->DialectRevision));
  366. rc = -EIO;
  367. goto neg_exit;
  368. }
  369. server->dialect = le16_to_cpu(rsp->DialectRevision);
  370. server->maxBuf = le32_to_cpu(rsp->MaxTransactSize);
  371. server->max_read = le32_to_cpu(rsp->MaxReadSize);
  372. server->max_write = le32_to_cpu(rsp->MaxWriteSize);
  373. /* BB Do we need to validate the SecurityMode? */
  374. server->sec_mode = le16_to_cpu(rsp->SecurityMode);
  375. server->capabilities = le32_to_cpu(rsp->Capabilities);
  376. /* Internal types */
  377. server->capabilities |= SMB2_NT_FIND | SMB2_LARGE_FILES;
  378. security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
  379. &rsp->hdr);
  380. if (blob_length == 0) {
  381. cERROR(1, "missing security blob on negprot");
  382. rc = -EIO;
  383. goto neg_exit;
  384. }
  385. #ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */
  386. rc = decode_neg_token_init(security_blob, blob_length,
  387. &server->sec_type);
  388. if (rc == 1)
  389. rc = 0;
  390. else if (rc == 0) {
  391. rc = -EIO;
  392. goto neg_exit;
  393. }
  394. #endif
  395. neg_exit:
  396. free_rsp_buf(resp_buftype, rsp);
  397. return rc;
  398. }
  399. int
  400. SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
  401. const struct nls_table *nls_cp)
  402. {
  403. struct smb2_sess_setup_req *req;
  404. struct smb2_sess_setup_rsp *rsp = NULL;
  405. struct kvec iov[2];
  406. int rc = 0;
  407. int resp_buftype;
  408. __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
  409. struct TCP_Server_Info *server;
  410. unsigned int sec_flags;
  411. u8 temp = 0;
  412. u16 blob_length = 0;
  413. char *security_blob;
  414. char *ntlmssp_blob = NULL;
  415. bool use_spnego = false; /* else use raw ntlmssp */
  416. cFYI(1, "Session Setup");
  417. if (ses->server)
  418. server = ses->server;
  419. else {
  420. rc = -EIO;
  421. return rc;
  422. }
  423. /*
  424. * If memory allocation is successful, caller of this function
  425. * frees it.
  426. */
  427. ses->ntlmssp = kmalloc(sizeof(struct ntlmssp_auth), GFP_KERNEL);
  428. if (!ses->ntlmssp)
  429. return -ENOMEM;
  430. ses->server->secType = RawNTLMSSP;
  431. ssetup_ntlmssp_authenticate:
  432. if (phase == NtLmChallenge)
  433. phase = NtLmAuthenticate; /* if ntlmssp, now final phase */
  434. rc = small_smb2_init(SMB2_SESSION_SETUP, NULL, (void **) &req);
  435. if (rc)
  436. return rc;
  437. /* if any of auth flags (ie not sign or seal) are overriden use them */
  438. if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
  439. sec_flags = ses->overrideSecFlg; /* BB FIXME fix sign flags?*/
  440. else /* if override flags set only sign/seal OR them with global auth */
  441. sec_flags = global_secflags | ses->overrideSecFlg;
  442. cFYI(1, "sec_flags 0x%x", sec_flags);
  443. req->hdr.SessionId = 0; /* First session, not a reauthenticate */
  444. req->VcNumber = 0; /* MBZ */
  445. /* to enable echos and oplocks */
  446. req->hdr.CreditRequest = cpu_to_le16(3);
  447. /* only one of SMB2 signing flags may be set in SMB2 request */
  448. if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN)
  449. temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;
  450. else if (ses->server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)
  451. temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;
  452. else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */
  453. temp = SMB2_NEGOTIATE_SIGNING_ENABLED;
  454. req->SecurityMode = temp;
  455. req->Capabilities = 0;
  456. req->Channel = 0; /* MBZ */
  457. iov[0].iov_base = (char *)req;
  458. /* 4 for rfc1002 length field and 1 for pad */
  459. iov[0].iov_len = get_rfc1002_length(req) + 4 - 1;
  460. if (phase == NtLmNegotiate) {
  461. ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE),
  462. GFP_KERNEL);
  463. if (ntlmssp_blob == NULL) {
  464. rc = -ENOMEM;
  465. goto ssetup_exit;
  466. }
  467. build_ntlmssp_negotiate_blob(ntlmssp_blob, ses);
  468. if (use_spnego) {
  469. /* blob_length = build_spnego_ntlmssp_blob(
  470. &security_blob,
  471. sizeof(struct _NEGOTIATE_MESSAGE),
  472. ntlmssp_blob); */
  473. /* BB eventually need to add this */
  474. cERROR(1, "spnego not supported for SMB2 yet");
  475. rc = -EOPNOTSUPP;
  476. kfree(ntlmssp_blob);
  477. goto ssetup_exit;
  478. } else {
  479. blob_length = sizeof(struct _NEGOTIATE_MESSAGE);
  480. /* with raw NTLMSSP we don't encapsulate in SPNEGO */
  481. security_blob = ntlmssp_blob;
  482. }
  483. } else if (phase == NtLmAuthenticate) {
  484. req->hdr.SessionId = ses->Suid;
  485. ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500,
  486. GFP_KERNEL);
  487. if (ntlmssp_blob == NULL) {
  488. cERROR(1, "failed to malloc ntlmssp blob");
  489. rc = -ENOMEM;
  490. goto ssetup_exit;
  491. }
  492. rc = build_ntlmssp_auth_blob(ntlmssp_blob, &blob_length, ses,
  493. nls_cp);
  494. if (rc) {
  495. cFYI(1, "build_ntlmssp_auth_blob failed %d", rc);
  496. goto ssetup_exit; /* BB double check error handling */
  497. }
  498. if (use_spnego) {
  499. /* blob_length = build_spnego_ntlmssp_blob(
  500. &security_blob,
  501. blob_length,
  502. ntlmssp_blob); */
  503. cERROR(1, "spnego not supported for SMB2 yet");
  504. rc = -EOPNOTSUPP;
  505. kfree(ntlmssp_blob);
  506. goto ssetup_exit;
  507. } else {
  508. security_blob = ntlmssp_blob;
  509. }
  510. } else {
  511. cERROR(1, "illegal ntlmssp phase");
  512. rc = -EIO;
  513. goto ssetup_exit;
  514. }
  515. /* Testing shows that buffer offset must be at location of Buffer[0] */
  516. req->SecurityBufferOffset =
  517. cpu_to_le16(sizeof(struct smb2_sess_setup_req) -
  518. 1 /* pad */ - 4 /* rfc1001 len */);
  519. req->SecurityBufferLength = cpu_to_le16(blob_length);
  520. iov[1].iov_base = security_blob;
  521. iov[1].iov_len = blob_length;
  522. inc_rfc1001_len(req, blob_length - 1 /* pad */);
  523. /* BB add code to build os and lm fields */
  524. rc = SendReceive2(xid, ses, iov, 2, &resp_buftype, CIFS_LOG_ERROR);
  525. kfree(security_blob);
  526. rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
  527. if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
  528. if (phase != NtLmNegotiate) {
  529. cERROR(1, "Unexpected more processing error");
  530. goto ssetup_exit;
  531. }
  532. if (offsetof(struct smb2_sess_setup_rsp, Buffer) - 4 !=
  533. le16_to_cpu(rsp->SecurityBufferOffset)) {
  534. cERROR(1, "Invalid security buffer offset %d",
  535. le16_to_cpu(rsp->SecurityBufferOffset));
  536. rc = -EIO;
  537. goto ssetup_exit;
  538. }
  539. /* NTLMSSP Negotiate sent now processing challenge (response) */
  540. phase = NtLmChallenge; /* process ntlmssp challenge */
  541. rc = 0; /* MORE_PROCESSING is not an error here but expected */
  542. ses->Suid = rsp->hdr.SessionId;
  543. rc = decode_ntlmssp_challenge(rsp->Buffer,
  544. le16_to_cpu(rsp->SecurityBufferLength), ses);
  545. }
  546. /*
  547. * BB eventually add code for SPNEGO decoding of NtlmChallenge blob,
  548. * but at least the raw NTLMSSP case works.
  549. */
  550. /*
  551. * No tcon so can't do
  552. * cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_fail[SMB2...]);
  553. */
  554. if (rc != 0)
  555. goto ssetup_exit;
  556. if (rsp == NULL) {
  557. rc = -EIO;
  558. goto ssetup_exit;
  559. }
  560. ses->session_flags = le16_to_cpu(rsp->SessionFlags);
  561. ssetup_exit:
  562. free_rsp_buf(resp_buftype, rsp);
  563. /* if ntlmssp, and negotiate succeeded, proceed to authenticate phase */
  564. if ((phase == NtLmChallenge) && (rc == 0))
  565. goto ssetup_ntlmssp_authenticate;
  566. return rc;
  567. }
  568. int
  569. SMB2_logoff(const unsigned int xid, struct cifs_ses *ses)
  570. {
  571. struct smb2_logoff_req *req; /* response is also trivial struct */
  572. int rc = 0;
  573. struct TCP_Server_Info *server;
  574. cFYI(1, "disconnect session %p", ses);
  575. if (ses && (ses->server))
  576. server = ses->server;
  577. else
  578. return -EIO;
  579. rc = small_smb2_init(SMB2_LOGOFF, NULL, (void **) &req);
  580. if (rc)
  581. return rc;
  582. /* since no tcon, smb2_init can not do this, so do here */
  583. req->hdr.SessionId = ses->Suid;
  584. rc = SendReceiveNoRsp(xid, ses, (char *) &req->hdr, 0);
  585. /*
  586. * No tcon so can't do
  587. * cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_fail[SMB2...]);
  588. */
  589. return rc;
  590. }
  591. static inline void cifs_stats_fail_inc(struct cifs_tcon *tcon, uint16_t code)
  592. {
  593. cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_failed[code]);
  594. }
  595. #define MAX_SHARENAME_LENGTH (255 /* server */ + 80 /* share */ + 1 /* NULL */)
  596. int
  597. SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
  598. struct cifs_tcon *tcon, const struct nls_table *cp)
  599. {
  600. struct smb2_tree_connect_req *req;
  601. struct smb2_tree_connect_rsp *rsp = NULL;
  602. struct kvec iov[2];
  603. int rc = 0;
  604. int resp_buftype;
  605. int unc_path_len;
  606. struct TCP_Server_Info *server;
  607. __le16 *unc_path = NULL;
  608. cFYI(1, "TCON");
  609. if ((ses->server) && tree)
  610. server = ses->server;
  611. else
  612. return -EIO;
  613. if (tcon && tcon->bad_network_name)
  614. return -ENOENT;
  615. unc_path = kmalloc(MAX_SHARENAME_LENGTH * 2, GFP_KERNEL);
  616. if (unc_path == NULL)
  617. return -ENOMEM;
  618. unc_path_len = cifs_strtoUTF16(unc_path, tree, strlen(tree), cp) + 1;
  619. unc_path_len *= 2;
  620. if (unc_path_len < 2) {
  621. kfree(unc_path);
  622. return -EINVAL;
  623. }
  624. rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req);
  625. if (rc) {
  626. kfree(unc_path);
  627. return rc;
  628. }
  629. if (tcon == NULL) {
  630. /* since no tcon, smb2_init can not do this, so do here */
  631. req->hdr.SessionId = ses->Suid;
  632. /* if (ses->server->sec_mode & SECMODE_SIGN_REQUIRED)
  633. req->hdr.Flags |= SMB2_FLAGS_SIGNED; */
  634. }
  635. iov[0].iov_base = (char *)req;
  636. /* 4 for rfc1002 length field and 1 for pad */
  637. iov[0].iov_len = get_rfc1002_length(req) + 4 - 1;
  638. /* Testing shows that buffer offset must be at location of Buffer[0] */
  639. req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req)
  640. - 1 /* pad */ - 4 /* do not count rfc1001 len field */);
  641. req->PathLength = cpu_to_le16(unc_path_len - 2);
  642. iov[1].iov_base = unc_path;
  643. iov[1].iov_len = unc_path_len;
  644. inc_rfc1001_len(req, unc_path_len - 1 /* pad */);
  645. rc = SendReceive2(xid, ses, iov, 2, &resp_buftype, 0);
  646. rsp = (struct smb2_tree_connect_rsp *)iov[0].iov_base;
  647. if (rc != 0) {
  648. if (tcon) {
  649. cifs_stats_fail_inc(tcon, SMB2_TREE_CONNECT_HE);
  650. tcon->need_reconnect = true;
  651. }
  652. goto tcon_error_exit;
  653. }
  654. if (rsp == NULL) {
  655. rc = -EIO;
  656. goto tcon_exit;
  657. }
  658. if (tcon == NULL) {
  659. ses->ipc_tid = rsp->hdr.TreeId;
  660. goto tcon_exit;
  661. }
  662. if (rsp->ShareType & SMB2_SHARE_TYPE_DISK)
  663. cFYI(1, "connection to disk share");
  664. else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) {
  665. tcon->ipc = true;
  666. cFYI(1, "connection to pipe share");
  667. } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) {
  668. tcon->print = true;
  669. cFYI(1, "connection to printer");
  670. } else {
  671. cERROR(1, "unknown share type %d", rsp->ShareType);
  672. rc = -EOPNOTSUPP;
  673. goto tcon_error_exit;
  674. }
  675. tcon->share_flags = le32_to_cpu(rsp->ShareFlags);
  676. tcon->maximal_access = le32_to_cpu(rsp->MaximalAccess);
  677. tcon->tidStatus = CifsGood;
  678. tcon->need_reconnect = false;
  679. tcon->tid = rsp->hdr.TreeId;
  680. strncpy(tcon->treeName, tree, MAX_TREE_SIZE);
  681. if ((rsp->Capabilities & SMB2_SHARE_CAP_DFS) &&
  682. ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
  683. cERROR(1, "DFS capability contradicts DFS flag");
  684. tcon_exit:
  685. free_rsp_buf(resp_buftype, rsp);
  686. kfree(unc_path);
  687. return rc;
  688. tcon_error_exit:
  689. if (rsp->hdr.Status == STATUS_BAD_NETWORK_NAME) {
  690. cERROR(1, "BAD_NETWORK_NAME: %s", tree);
  691. tcon->bad_network_name = true;
  692. }
  693. goto tcon_exit;
  694. }
  695. int
  696. SMB2_tdis(const unsigned int xid, struct cifs_tcon *tcon)
  697. {
  698. struct smb2_tree_disconnect_req *req; /* response is trivial */
  699. int rc = 0;
  700. struct TCP_Server_Info *server;
  701. struct cifs_ses *ses = tcon->ses;
  702. cFYI(1, "Tree Disconnect");
  703. if (ses && (ses->server))
  704. server = ses->server;
  705. else
  706. return -EIO;
  707. if ((tcon->need_reconnect) || (tcon->ses->need_reconnect))
  708. return 0;
  709. rc = small_smb2_init(SMB2_TREE_DISCONNECT, tcon, (void **) &req);
  710. if (rc)
  711. return rc;
  712. rc = SendReceiveNoRsp(xid, ses, (char *)&req->hdr, 0);
  713. if (rc)
  714. cifs_stats_fail_inc(tcon, SMB2_TREE_DISCONNECT_HE);
  715. return rc;
  716. }
  717. int
  718. SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path,
  719. u64 *persistent_fid, u64 *volatile_fid, __u32 desired_access,
  720. __u32 create_disposition, __u32 file_attributes, __u32 create_options)
  721. {
  722. struct smb2_create_req *req;
  723. struct smb2_create_rsp *rsp;
  724. struct TCP_Server_Info *server;
  725. struct cifs_ses *ses = tcon->ses;
  726. struct kvec iov[2];
  727. int resp_buftype;
  728. int uni_path_len;
  729. int rc = 0;
  730. int num_iovecs = 2;
  731. cFYI(1, "create/open");
  732. if (ses && (ses->server))
  733. server = ses->server;
  734. else
  735. return -EIO;
  736. rc = small_smb2_init(SMB2_CREATE, tcon, (void **) &req);
  737. if (rc)
  738. return rc;
  739. if (enable_oplocks)
  740. req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_BATCH;
  741. else
  742. req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_NONE;
  743. req->ImpersonationLevel = IL_IMPERSONATION;
  744. req->DesiredAccess = cpu_to_le32(desired_access);
  745. /* File attributes ignored on open (used in create though) */
  746. req->FileAttributes = cpu_to_le32(file_attributes);
  747. req->ShareAccess = FILE_SHARE_ALL_LE;
  748. req->CreateDisposition = cpu_to_le32(create_disposition);
  749. req->CreateOptions = cpu_to_le32(create_options);
  750. uni_path_len = (2 * UniStrnlen((wchar_t *)path, PATH_MAX)) + 2;
  751. req->NameOffset = cpu_to_le16(sizeof(struct smb2_create_req)
  752. - 1 /* pad */ - 4 /* do not count rfc1001 len field */);
  753. iov[0].iov_base = (char *)req;
  754. /* 4 for rfc1002 length field */
  755. iov[0].iov_len = get_rfc1002_length(req) + 4;
  756. /* MUST set path len (NameLength) to 0 opening root of share */
  757. if (uni_path_len >= 4) {
  758. req->NameLength = cpu_to_le16(uni_path_len - 2);
  759. /* -1 since last byte is buf[0] which is sent below (path) */
  760. iov[0].iov_len--;
  761. iov[1].iov_len = uni_path_len;
  762. iov[1].iov_base = path;
  763. /*
  764. * -1 since last byte is buf[0] which was counted in
  765. * smb2_buf_len.
  766. */
  767. inc_rfc1001_len(req, uni_path_len - 1);
  768. } else {
  769. num_iovecs = 1;
  770. req->NameLength = 0;
  771. }
  772. rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
  773. rsp = (struct smb2_create_rsp *)iov[0].iov_base;
  774. if (rc != 0) {
  775. cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
  776. goto creat_exit;
  777. }
  778. if (rsp == NULL) {
  779. rc = -EIO;
  780. goto creat_exit;
  781. }
  782. *persistent_fid = rsp->PersistentFileId;
  783. *volatile_fid = rsp->VolatileFileId;
  784. creat_exit:
  785. free_rsp_buf(resp_buftype, rsp);
  786. return rc;
  787. }
  788. int
  789. SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
  790. u64 persistent_fid, u64 volatile_fid)
  791. {
  792. struct smb2_close_req *req;
  793. struct smb2_close_rsp *rsp;
  794. struct TCP_Server_Info *server;
  795. struct cifs_ses *ses = tcon->ses;
  796. struct kvec iov[1];
  797. int resp_buftype;
  798. int rc = 0;
  799. cFYI(1, "Close");
  800. if (ses && (ses->server))
  801. server = ses->server;
  802. else
  803. return -EIO;
  804. rc = small_smb2_init(SMB2_CLOSE, tcon, (void **) &req);
  805. if (rc)
  806. return rc;
  807. req->PersistentFileId = persistent_fid;
  808. req->VolatileFileId = volatile_fid;
  809. iov[0].iov_base = (char *)req;
  810. /* 4 for rfc1002 length field */
  811. iov[0].iov_len = get_rfc1002_length(req) + 4;
  812. rc = SendReceive2(xid, ses, iov, 1, &resp_buftype, 0);
  813. rsp = (struct smb2_close_rsp *)iov[0].iov_base;
  814. if (rc != 0) {
  815. if (tcon)
  816. cifs_stats_fail_inc(tcon, SMB2_CLOSE_HE);
  817. goto close_exit;
  818. }
  819. if (rsp == NULL) {
  820. rc = -EIO;
  821. goto close_exit;
  822. }
  823. /* BB FIXME - decode close response, update inode for caching */
  824. close_exit:
  825. free_rsp_buf(resp_buftype, rsp);
  826. return rc;
  827. }
  828. static int
  829. validate_buf(unsigned int offset, unsigned int buffer_length,
  830. struct smb2_hdr *hdr, unsigned int min_buf_size)
  831. {
  832. unsigned int smb_len = be32_to_cpu(hdr->smb2_buf_length);
  833. char *end_of_smb = smb_len + 4 /* RFC1001 length field */ + (char *)hdr;
  834. char *begin_of_buf = 4 /* RFC1001 len field */ + offset + (char *)hdr;
  835. char *end_of_buf = begin_of_buf + buffer_length;
  836. if (buffer_length < min_buf_size) {
  837. cERROR(1, "buffer length %d smaller than minimum size %d",
  838. buffer_length, min_buf_size);
  839. return -EINVAL;
  840. }
  841. /* check if beyond RFC1001 maximum length */
  842. if ((smb_len > 0x7FFFFF) || (buffer_length > 0x7FFFFF)) {
  843. cERROR(1, "buffer length %d or smb length %d too large",
  844. buffer_length, smb_len);
  845. return -EINVAL;
  846. }
  847. if ((begin_of_buf > end_of_smb) || (end_of_buf > end_of_smb)) {
  848. cERROR(1, "illegal server response, bad offset to data");
  849. return -EINVAL;
  850. }
  851. return 0;
  852. }
  853. /*
  854. * If SMB buffer fields are valid, copy into temporary buffer to hold result.
  855. * Caller must free buffer.
  856. */
  857. static int
  858. validate_and_copy_buf(unsigned int offset, unsigned int buffer_length,
  859. struct smb2_hdr *hdr, unsigned int minbufsize,
  860. char *data)
  861. {
  862. char *begin_of_buf = 4 /* RFC1001 len field */ + offset + (char *)hdr;
  863. int rc;
  864. if (!data)
  865. return -EINVAL;
  866. rc = validate_buf(offset, buffer_length, hdr, minbufsize);
  867. if (rc)
  868. return rc;
  869. memcpy(data, begin_of_buf, buffer_length);
  870. return 0;
  871. }
  872. int
  873. SMB2_query_info(const unsigned int xid, struct cifs_tcon *tcon,
  874. u64 persistent_fid, u64 volatile_fid,
  875. struct smb2_file_all_info *data)
  876. {
  877. struct smb2_query_info_req *req;
  878. struct smb2_query_info_rsp *rsp = NULL;
  879. struct kvec iov[2];
  880. int rc = 0;
  881. int resp_buftype;
  882. struct TCP_Server_Info *server;
  883. struct cifs_ses *ses = tcon->ses;
  884. cFYI(1, "Query Info");
  885. if (ses && (ses->server))
  886. server = ses->server;
  887. else
  888. return -EIO;
  889. rc = small_smb2_init(SMB2_QUERY_INFO, tcon, (void **) &req);
  890. if (rc)
  891. return rc;
  892. req->InfoType = SMB2_O_INFO_FILE;
  893. req->FileInfoClass = FILE_ALL_INFORMATION;
  894. req->PersistentFileId = persistent_fid;
  895. req->VolatileFileId = volatile_fid;
  896. /* 4 for rfc1002 length field and 1 for Buffer */
  897. req->InputBufferOffset =
  898. cpu_to_le16(sizeof(struct smb2_query_info_req) - 1 - 4);
  899. req->OutputBufferLength =
  900. cpu_to_le32(sizeof(struct smb2_file_all_info) + MAX_NAME * 2);
  901. iov[0].iov_base = (char *)req;
  902. /* 4 for rfc1002 length field */
  903. iov[0].iov_len = get_rfc1002_length(req) + 4;
  904. rc = SendReceive2(xid, ses, iov, 1, &resp_buftype, 0);
  905. if (rc) {
  906. cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE);
  907. goto qinf_exit;
  908. }
  909. rsp = (struct smb2_query_info_rsp *)iov[0].iov_base;
  910. rc = validate_and_copy_buf(le16_to_cpu(rsp->OutputBufferOffset),
  911. le32_to_cpu(rsp->OutputBufferLength),
  912. &rsp->hdr, sizeof(struct smb2_file_all_info),
  913. (char *)data);
  914. qinf_exit:
  915. free_rsp_buf(resp_buftype, rsp);
  916. return rc;
  917. }
  918. /*
  919. * This is a no-op for now. We're not really interested in the reply, but
  920. * rather in the fact that the server sent one and that server->lstrp
  921. * gets updated.
  922. *
  923. * FIXME: maybe we should consider checking that the reply matches request?
  924. */
  925. static void
  926. smb2_echo_callback(struct mid_q_entry *mid)
  927. {
  928. struct TCP_Server_Info *server = mid->callback_data;
  929. struct smb2_echo_rsp *smb2 = (struct smb2_echo_rsp *)mid->resp_buf;
  930. unsigned int credits_received = 1;
  931. if (mid->mid_state == MID_RESPONSE_RECEIVED)
  932. credits_received = le16_to_cpu(smb2->hdr.CreditRequest);
  933. DeleteMidQEntry(mid);
  934. add_credits(server, credits_received, CIFS_ECHO_OP);
  935. }
  936. int
  937. SMB2_echo(struct TCP_Server_Info *server)
  938. {
  939. struct smb2_echo_req *req;
  940. int rc = 0;
  941. struct kvec iov;
  942. cFYI(1, "In echo request");
  943. rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
  944. if (rc)
  945. return rc;
  946. req->hdr.CreditRequest = cpu_to_le16(1);
  947. iov.iov_base = (char *)req;
  948. /* 4 for rfc1002 length field */
  949. iov.iov_len = get_rfc1002_length(req) + 4;
  950. rc = cifs_call_async(server, &iov, 1, NULL, smb2_echo_callback, server,
  951. CIFS_ECHO_OP);
  952. if (rc)
  953. cFYI(1, "Echo request failed: %d", rc);
  954. cifs_small_buf_release(req);
  955. return rc;
  956. }