smb2transport.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567
  1. /*
  2. * fs/cifs/smb2transport.c
  3. *
  4. * Copyright (C) International Business Machines Corp., 2002, 2011
  5. * Etersoft, 2012
  6. * Author(s): Steve French (sfrench@us.ibm.com)
  7. * Jeremy Allison (jra@samba.org) 2006
  8. * Pavel Shilovsky (pshilovsky@samba.org) 2012
  9. *
  10. * This library is free software; you can redistribute it and/or modify
  11. * it under the terms of the GNU Lesser General Public License as published
  12. * by the Free Software Foundation; either version 2.1 of the License, or
  13. * (at your option) any later version.
  14. *
  15. * This library is distributed in the hope that it will be useful,
  16. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
  18. * the GNU Lesser General Public License for more details.
  19. *
  20. * You should have received a copy of the GNU Lesser General Public License
  21. * along with this library; if not, write to the Free Software
  22. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  23. */
  24. #include <linux/fs.h>
  25. #include <linux/list.h>
  26. #include <linux/wait.h>
  27. #include <linux/net.h>
  28. #include <linux/delay.h>
  29. #include <linux/uaccess.h>
  30. #include <asm/processor.h>
  31. #include <linux/mempool.h>
  32. #include <linux/highmem.h>
  33. #include "smb2pdu.h"
  34. #include "cifsglob.h"
  35. #include "cifsproto.h"
  36. #include "smb2proto.h"
  37. #include "cifs_debug.h"
  38. #include "smb2status.h"
  39. #include "smb2glob.h"
  40. static int
  41. smb2_crypto_shash_allocate(struct TCP_Server_Info *server)
  42. {
  43. int rc;
  44. unsigned int size;
  45. if (server->secmech.sdeschmacsha256 != NULL)
  46. return 0; /* already allocated */
  47. server->secmech.hmacsha256 = crypto_alloc_shash("hmac(sha256)", 0, 0);
  48. if (IS_ERR(server->secmech.hmacsha256)) {
  49. cifs_dbg(VFS, "could not allocate crypto hmacsha256\n");
  50. rc = PTR_ERR(server->secmech.hmacsha256);
  51. server->secmech.hmacsha256 = NULL;
  52. return rc;
  53. }
  54. size = sizeof(struct shash_desc) +
  55. crypto_shash_descsize(server->secmech.hmacsha256);
  56. server->secmech.sdeschmacsha256 = kmalloc(size, GFP_KERNEL);
  57. if (!server->secmech.sdeschmacsha256) {
  58. crypto_free_shash(server->secmech.hmacsha256);
  59. server->secmech.hmacsha256 = NULL;
  60. return -ENOMEM;
  61. }
  62. server->secmech.sdeschmacsha256->shash.tfm = server->secmech.hmacsha256;
  63. server->secmech.sdeschmacsha256->shash.flags = 0x0;
  64. return 0;
  65. }
  66. static int
  67. smb3_crypto_shash_allocate(struct TCP_Server_Info *server)
  68. {
  69. unsigned int size;
  70. int rc;
  71. if (server->secmech.sdesccmacaes != NULL)
  72. return 0; /* already allocated */
  73. rc = smb2_crypto_shash_allocate(server);
  74. if (rc)
  75. return rc;
  76. server->secmech.cmacaes = crypto_alloc_shash("cmac(aes)", 0, 0);
  77. if (IS_ERR(server->secmech.cmacaes)) {
  78. cifs_dbg(VFS, "could not allocate crypto cmac-aes");
  79. kfree(server->secmech.sdeschmacsha256);
  80. server->secmech.sdeschmacsha256 = NULL;
  81. crypto_free_shash(server->secmech.hmacsha256);
  82. server->secmech.hmacsha256 = NULL;
  83. rc = PTR_ERR(server->secmech.cmacaes);
  84. server->secmech.cmacaes = NULL;
  85. return rc;
  86. }
  87. size = sizeof(struct shash_desc) +
  88. crypto_shash_descsize(server->secmech.cmacaes);
  89. server->secmech.sdesccmacaes = kmalloc(size, GFP_KERNEL);
  90. if (!server->secmech.sdesccmacaes) {
  91. cifs_dbg(VFS, "%s: Can't alloc cmacaes\n", __func__);
  92. kfree(server->secmech.sdeschmacsha256);
  93. server->secmech.sdeschmacsha256 = NULL;
  94. crypto_free_shash(server->secmech.hmacsha256);
  95. crypto_free_shash(server->secmech.cmacaes);
  96. server->secmech.hmacsha256 = NULL;
  97. server->secmech.cmacaes = NULL;
  98. return -ENOMEM;
  99. }
  100. server->secmech.sdesccmacaes->shash.tfm = server->secmech.cmacaes;
  101. server->secmech.sdesccmacaes->shash.flags = 0x0;
  102. return 0;
  103. }
  104. int
  105. smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  106. {
  107. int i, rc;
  108. unsigned char smb2_signature[SMB2_HMACSHA256_SIZE];
  109. unsigned char *sigptr = smb2_signature;
  110. struct kvec *iov = rqst->rq_iov;
  111. int n_vec = rqst->rq_nvec;
  112. struct smb2_hdr *smb2_pdu = (struct smb2_hdr *)iov[0].iov_base;
  113. memset(smb2_signature, 0x0, SMB2_HMACSHA256_SIZE);
  114. memset(smb2_pdu->Signature, 0x0, SMB2_SIGNATURE_SIZE);
  115. rc = smb2_crypto_shash_allocate(server);
  116. if (rc) {
  117. cifs_dbg(VFS, "%s: shah256 alloc failed\n", __func__);
  118. return rc;
  119. }
  120. rc = crypto_shash_setkey(server->secmech.hmacsha256,
  121. server->session_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
  122. if (rc) {
  123. cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
  124. return rc;
  125. }
  126. rc = crypto_shash_init(&server->secmech.sdeschmacsha256->shash);
  127. if (rc) {
  128. cifs_dbg(VFS, "%s: Could not init sha256", __func__);
  129. return rc;
  130. }
  131. for (i = 0; i < n_vec; i++) {
  132. if (iov[i].iov_len == 0)
  133. continue;
  134. if (iov[i].iov_base == NULL) {
  135. cifs_dbg(VFS, "null iovec entry\n");
  136. return -EIO;
  137. }
  138. /*
  139. * The first entry includes a length field (which does not get
  140. * signed that occupies the first 4 bytes before the header).
  141. */
  142. if (i == 0) {
  143. if (iov[0].iov_len <= 8) /* cmd field at offset 9 */
  144. break; /* nothing to sign or corrupt header */
  145. rc =
  146. crypto_shash_update(
  147. &server->secmech.sdeschmacsha256->shash,
  148. iov[i].iov_base + 4, iov[i].iov_len - 4);
  149. } else {
  150. rc =
  151. crypto_shash_update(
  152. &server->secmech.sdeschmacsha256->shash,
  153. iov[i].iov_base, iov[i].iov_len);
  154. }
  155. if (rc) {
  156. cifs_dbg(VFS, "%s: Could not update with payload\n",
  157. __func__);
  158. return rc;
  159. }
  160. }
  161. /* now hash over the rq_pages array */
  162. for (i = 0; i < rqst->rq_npages; i++) {
  163. struct kvec p_iov;
  164. cifs_rqst_page_to_kvec(rqst, i, &p_iov);
  165. crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  166. p_iov.iov_base, p_iov.iov_len);
  167. kunmap(rqst->rq_pages[i]);
  168. }
  169. rc = crypto_shash_final(&server->secmech.sdeschmacsha256->shash,
  170. sigptr);
  171. if (rc)
  172. cifs_dbg(VFS, "%s: Could not generate sha256 hash\n", __func__);
  173. memcpy(smb2_pdu->Signature, sigptr, SMB2_SIGNATURE_SIZE);
  174. return rc;
  175. }
  176. void
  177. generate_smb3signingkey(struct TCP_Server_Info *server)
  178. {
  179. unsigned char zero = 0x0;
  180. __u8 i[4] = {0, 0, 0, 1};
  181. __u8 L[4] = {0, 0, 0, 128};
  182. int rc = 0;
  183. unsigned char prfhash[SMB2_HMACSHA256_SIZE];
  184. unsigned char *hashptr = prfhash;
  185. memset(prfhash, 0x0, SMB2_HMACSHA256_SIZE);
  186. memset(server->smb3signingkey, 0x0, SMB3_SIGNKEY_SIZE);
  187. rc = smb3_crypto_shash_allocate(server);
  188. if (rc) {
  189. cifs_dbg(VFS, "%s: crypto alloc failed\n", __func__);
  190. goto smb3signkey_ret;
  191. }
  192. rc = crypto_shash_setkey(server->secmech.hmacsha256,
  193. server->session_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
  194. if (rc) {
  195. cifs_dbg(VFS, "%s: Could not set with session key\n", __func__);
  196. goto smb3signkey_ret;
  197. }
  198. rc = crypto_shash_init(&server->secmech.sdeschmacsha256->shash);
  199. if (rc) {
  200. cifs_dbg(VFS, "%s: Could not init sign hmac\n", __func__);
  201. goto smb3signkey_ret;
  202. }
  203. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  204. i, 4);
  205. if (rc) {
  206. cifs_dbg(VFS, "%s: Could not update with n\n", __func__);
  207. goto smb3signkey_ret;
  208. }
  209. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  210. "SMB2AESCMAC", 12);
  211. if (rc) {
  212. cifs_dbg(VFS, "%s: Could not update with label\n", __func__);
  213. goto smb3signkey_ret;
  214. }
  215. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  216. &zero, 1);
  217. if (rc) {
  218. cifs_dbg(VFS, "%s: Could not update with zero\n", __func__);
  219. goto smb3signkey_ret;
  220. }
  221. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  222. "SmbSign", 8);
  223. if (rc) {
  224. cifs_dbg(VFS, "%s: Could not update with context\n", __func__);
  225. goto smb3signkey_ret;
  226. }
  227. rc = crypto_shash_update(&server->secmech.sdeschmacsha256->shash,
  228. L, 4);
  229. if (rc) {
  230. cifs_dbg(VFS, "%s: Could not update with L\n", __func__);
  231. goto smb3signkey_ret;
  232. }
  233. rc = crypto_shash_final(&server->secmech.sdeschmacsha256->shash,
  234. hashptr);
  235. if (rc) {
  236. cifs_dbg(VFS, "%s: Could not generate sha256 hash\n", __func__);
  237. goto smb3signkey_ret;
  238. }
  239. memcpy(server->smb3signingkey, hashptr, SMB3_SIGNKEY_SIZE);
  240. smb3signkey_ret:
  241. return;
  242. }
  243. int
  244. smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  245. {
  246. int i, rc;
  247. unsigned char smb3_signature[SMB2_CMACAES_SIZE];
  248. unsigned char *sigptr = smb3_signature;
  249. struct kvec *iov = rqst->rq_iov;
  250. int n_vec = rqst->rq_nvec;
  251. struct smb2_hdr *smb2_pdu = (struct smb2_hdr *)iov[0].iov_base;
  252. memset(smb3_signature, 0x0, SMB2_CMACAES_SIZE);
  253. memset(smb2_pdu->Signature, 0x0, SMB2_SIGNATURE_SIZE);
  254. rc = crypto_shash_setkey(server->secmech.cmacaes,
  255. server->smb3signingkey, SMB2_CMACAES_SIZE);
  256. if (rc) {
  257. cifs_dbg(VFS, "%s: Could not set key for cmac aes\n", __func__);
  258. return rc;
  259. }
  260. /*
  261. * we already allocate sdesccmacaes when we init smb3 signing key,
  262. * so unlike smb2 case we do not have to check here if secmech are
  263. * initialized
  264. */
  265. rc = crypto_shash_init(&server->secmech.sdesccmacaes->shash);
  266. if (rc) {
  267. cifs_dbg(VFS, "%s: Could not init cmac aes\n", __func__);
  268. return rc;
  269. }
  270. for (i = 0; i < n_vec; i++) {
  271. if (iov[i].iov_len == 0)
  272. continue;
  273. if (iov[i].iov_base == NULL) {
  274. cifs_dbg(VFS, "null iovec entry");
  275. return -EIO;
  276. }
  277. /*
  278. * The first entry includes a length field (which does not get
  279. * signed that occupies the first 4 bytes before the header).
  280. */
  281. if (i == 0) {
  282. if (iov[0].iov_len <= 8) /* cmd field at offset 9 */
  283. break; /* nothing to sign or corrupt header */
  284. rc =
  285. crypto_shash_update(
  286. &server->secmech.sdesccmacaes->shash,
  287. iov[i].iov_base + 4, iov[i].iov_len - 4);
  288. } else {
  289. rc =
  290. crypto_shash_update(
  291. &server->secmech.sdesccmacaes->shash,
  292. iov[i].iov_base, iov[i].iov_len);
  293. }
  294. if (rc) {
  295. cifs_dbg(VFS, "%s: Couldn't update cmac aes with payload\n",
  296. __func__);
  297. return rc;
  298. }
  299. }
  300. /* now hash over the rq_pages array */
  301. for (i = 0; i < rqst->rq_npages; i++) {
  302. struct kvec p_iov;
  303. cifs_rqst_page_to_kvec(rqst, i, &p_iov);
  304. crypto_shash_update(&server->secmech.sdesccmacaes->shash,
  305. p_iov.iov_base, p_iov.iov_len);
  306. kunmap(rqst->rq_pages[i]);
  307. }
  308. rc = crypto_shash_final(&server->secmech.sdesccmacaes->shash,
  309. sigptr);
  310. if (rc)
  311. cifs_dbg(VFS, "%s: Could not generate cmac aes\n", __func__);
  312. memcpy(smb2_pdu->Signature, sigptr, SMB2_SIGNATURE_SIZE);
  313. return rc;
  314. }
  315. /* must be called with server->srv_mutex held */
  316. static int
  317. smb2_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  318. {
  319. int rc = 0;
  320. struct smb2_hdr *smb2_pdu = rqst->rq_iov[0].iov_base;
  321. if (!(smb2_pdu->Flags & SMB2_FLAGS_SIGNED) ||
  322. server->tcpStatus == CifsNeedNegotiate)
  323. return rc;
  324. if (!server->session_estab) {
  325. strncpy(smb2_pdu->Signature, "BSRSPYL", 8);
  326. return rc;
  327. }
  328. rc = server->ops->calc_signature(rqst, server);
  329. return rc;
  330. }
  331. int
  332. smb2_verify_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
  333. {
  334. unsigned int rc;
  335. char server_response_sig[16];
  336. struct smb2_hdr *smb2_pdu = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
  337. if ((smb2_pdu->Command == SMB2_NEGOTIATE) ||
  338. (smb2_pdu->Command == SMB2_OPLOCK_BREAK) ||
  339. (!server->session_estab))
  340. return 0;
  341. /*
  342. * BB what if signatures are supposed to be on for session but
  343. * server does not send one? BB
  344. */
  345. /* Do not need to verify session setups with signature "BSRSPYL " */
  346. if (memcmp(smb2_pdu->Signature, "BSRSPYL ", 8) == 0)
  347. cifs_dbg(FYI, "dummy signature received for smb command 0x%x\n",
  348. smb2_pdu->Command);
  349. /*
  350. * Save off the origiginal signature so we can modify the smb and check
  351. * our calculated signature against what the server sent.
  352. */
  353. memcpy(server_response_sig, smb2_pdu->Signature, SMB2_SIGNATURE_SIZE);
  354. memset(smb2_pdu->Signature, 0, SMB2_SIGNATURE_SIZE);
  355. mutex_lock(&server->srv_mutex);
  356. rc = server->ops->calc_signature(rqst, server);
  357. mutex_unlock(&server->srv_mutex);
  358. if (rc)
  359. return rc;
  360. if (memcmp(server_response_sig, smb2_pdu->Signature,
  361. SMB2_SIGNATURE_SIZE))
  362. return -EACCES;
  363. else
  364. return 0;
  365. }
  366. /*
  367. * Set message id for the request. Should be called after wait_for_free_request
  368. * and when srv_mutex is held.
  369. */
  370. static inline void
  371. smb2_seq_num_into_buf(struct TCP_Server_Info *server, struct smb2_hdr *hdr)
  372. {
  373. hdr->MessageId = get_next_mid(server);
  374. }
  375. static struct mid_q_entry *
  376. smb2_mid_entry_alloc(const struct smb2_hdr *smb_buffer,
  377. struct TCP_Server_Info *server)
  378. {
  379. struct mid_q_entry *temp;
  380. if (server == NULL) {
  381. cifs_dbg(VFS, "Null TCP session in smb2_mid_entry_alloc\n");
  382. return NULL;
  383. }
  384. temp = mempool_alloc(cifs_mid_poolp, GFP_NOFS);
  385. if (temp == NULL)
  386. return temp;
  387. else {
  388. memset(temp, 0, sizeof(struct mid_q_entry));
  389. temp->mid = smb_buffer->MessageId; /* always LE */
  390. temp->pid = current->pid;
  391. temp->command = smb_buffer->Command; /* Always LE */
  392. temp->when_alloc = jiffies;
  393. temp->server = server;
  394. /*
  395. * The default is for the mid to be synchronous, so the
  396. * default callback just wakes up the current task.
  397. */
  398. temp->callback = cifs_wake_up_task;
  399. temp->callback_data = current;
  400. }
  401. atomic_inc(&midCount);
  402. temp->mid_state = MID_REQUEST_ALLOCATED;
  403. return temp;
  404. }
  405. static int
  406. smb2_get_mid_entry(struct cifs_ses *ses, struct smb2_hdr *buf,
  407. struct mid_q_entry **mid)
  408. {
  409. if (ses->server->tcpStatus == CifsExiting)
  410. return -ENOENT;
  411. if (ses->server->tcpStatus == CifsNeedReconnect) {
  412. cifs_dbg(FYI, "tcp session dead - return to caller to retry\n");
  413. return -EAGAIN;
  414. }
  415. if (ses->status != CifsGood) {
  416. /* check if SMB2 session is bad because we are setting it up */
  417. if ((buf->Command != SMB2_SESSION_SETUP) &&
  418. (buf->Command != SMB2_NEGOTIATE))
  419. return -EAGAIN;
  420. /* else ok - we are setting up session */
  421. }
  422. *mid = smb2_mid_entry_alloc(buf, ses->server);
  423. if (*mid == NULL)
  424. return -ENOMEM;
  425. spin_lock(&GlobalMid_Lock);
  426. list_add_tail(&(*mid)->qhead, &ses->server->pending_mid_q);
  427. spin_unlock(&GlobalMid_Lock);
  428. return 0;
  429. }
  430. int
  431. smb2_check_receive(struct mid_q_entry *mid, struct TCP_Server_Info *server,
  432. bool log_error)
  433. {
  434. unsigned int len = get_rfc1002_length(mid->resp_buf);
  435. struct kvec iov;
  436. struct smb_rqst rqst = { .rq_iov = &iov,
  437. .rq_nvec = 1 };
  438. iov.iov_base = (char *)mid->resp_buf;
  439. iov.iov_len = get_rfc1002_length(mid->resp_buf) + 4;
  440. dump_smb(mid->resp_buf, min_t(u32, 80, len));
  441. /* convert the length into a more usable form */
  442. if (len > 24 && server->sign) {
  443. int rc;
  444. rc = smb2_verify_signature(&rqst, server);
  445. if (rc)
  446. cifs_dbg(VFS, "SMB signature verification returned error = %d\n",
  447. rc);
  448. }
  449. return map_smb2_to_linux_error(mid->resp_buf, log_error);
  450. }
  451. struct mid_q_entry *
  452. smb2_setup_request(struct cifs_ses *ses, struct smb_rqst *rqst)
  453. {
  454. int rc;
  455. struct smb2_hdr *hdr = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
  456. struct mid_q_entry *mid;
  457. smb2_seq_num_into_buf(ses->server, hdr);
  458. rc = smb2_get_mid_entry(ses, hdr, &mid);
  459. if (rc)
  460. return ERR_PTR(rc);
  461. rc = smb2_sign_rqst(rqst, ses->server);
  462. if (rc) {
  463. cifs_delete_mid(mid);
  464. return ERR_PTR(rc);
  465. }
  466. return mid;
  467. }
  468. struct mid_q_entry *
  469. smb2_setup_async_request(struct TCP_Server_Info *server, struct smb_rqst *rqst)
  470. {
  471. int rc;
  472. struct smb2_hdr *hdr = (struct smb2_hdr *)rqst->rq_iov[0].iov_base;
  473. struct mid_q_entry *mid;
  474. smb2_seq_num_into_buf(server, hdr);
  475. mid = smb2_mid_entry_alloc(hdr, server);
  476. if (mid == NULL)
  477. return ERR_PTR(-ENOMEM);
  478. rc = smb2_sign_rqst(rqst, server);
  479. if (rc) {
  480. DeleteMidQEntry(mid);
  481. return ERR_PTR(rc);
  482. }
  483. return mid;
  484. }