[CIFS] Fix ntlmv2 auth with ntlmssp

[net-next-2.6.git] / fs / cifs / sess.c

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 0a57cb7db5dd7554030e599cd111379e343083df..41fc5328120d61e66a8c95fb130359fec6ad3f35 100644 (file)
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -383,6 +383,9 @@ static int decode_ascii_ssetup(char **pbcc_area, int bleft,
 static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
                                    struct cifsSesInfo *ses)
 {
+       unsigned int tioffset; /* challeng message target info area */
+       unsigned int tilen; /* challeng message target info area length  */
+
        CHALLENGE_MESSAGE *pblob = (CHALLENGE_MESSAGE *)bcc_ptr;
 
        if (blob_len < sizeof(CHALLENGE_MESSAGE)) {
@@ -405,6 +408,18 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
        /* BB spec says that if AvId field of MsvAvTimestamp is populated then
                we must set the MIC field of the AUTHENTICATE_MESSAGE */
 
+       tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
+       tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
+       ses->server->tilen = tilen;
+       if (tilen) {
+               ses->server->tiblob = kmalloc(tilen, GFP_KERNEL);
+               if (!ses->server->tiblob) {
+                       cERROR(1, "Challenge target info allocation failure");
+                       return -ENOMEM;
+               }
+               memcpy(ses->server->tiblob,  bcc_ptr + tioffset, tilen);
+       }
+
        return 0;
 }
 
@@ -451,10 +466,12 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
                                   struct cifsSesInfo *ses,
                                   const struct nls_table *nls_cp, bool first)
 {
+       int rc;
+       unsigned int size;
        AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
        __u32 flags;
        unsigned char *tmp;
-       char ntlm_session_key[CIFS_SESS_KEY_SIZE];
+       struct ntlmv2_resp ntlmv2_response = {};
 
        memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
        sec_blob->MessageType = NtLmAuthenticate;
@@ -477,19 +494,25 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
        sec_blob->LmChallengeResponse.Length = 0;
        sec_blob->LmChallengeResponse.MaximumLength = 0;
 
-       /* calculate session key,  BB what about adding similar ntlmv2 path? */
-       SMBNTencrypt(ses->password, ses->server->cryptKey, ntlm_session_key);
-       if (first)
-               cifs_calculate_mac_key(&ses->server->mac_signing_key,
-                                      ntlm_session_key, ses->password);
-
-       memcpy(tmp, ntlm_session_key, CIFS_SESS_KEY_SIZE);
        sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
-       sec_blob->NtChallengeResponse.Length = cpu_to_le16(CIFS_SESS_KEY_SIZE);
-       sec_blob->NtChallengeResponse.MaximumLength =
-                               cpu_to_le16(CIFS_SESS_KEY_SIZE);
+       rc = setup_ntlmv2_rsp(ses, (char *)&ntlmv2_response, nls_cp);
+       if (rc) {
+               cERROR(1, "error rc: %d during ntlmssp ntlmv2 setup", rc);
+               goto setup_ntlmv2_ret;
+       }
+       size =  sizeof(struct ntlmv2_resp);
+       memcpy(tmp, (char *)&ntlmv2_response, size);
+       tmp += size;
+       if (ses->server->tilen > 0) {
+               memcpy(tmp, ses->server->tiblob, ses->server->tilen);
+               tmp += ses->server->tilen;
+       } else
+               ses->server->tilen = 0;
 
-       tmp += CIFS_SESS_KEY_SIZE;
+       sec_blob->NtChallengeResponse.Length = cpu_to_le16(size +
+                               ses->server->tilen);
+       sec_blob->NtChallengeResponse.MaximumLength =
+               cpu_to_le16(size + ses->server->tilen);
 
        if (ses->domainName == NULL) {
                sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
@@ -501,7 +524,6 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
                len = cifs_strtoUCS((__le16 *)tmp, ses->domainName,
                                    MAX_USERNAME_SIZE, nls_cp);
                len *= 2; /* unicode is 2 bytes each */
-               len += 2; /* trailing null */
                sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
                sec_blob->DomainName.Length = cpu_to_le16(len);
                sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
@@ -518,7 +540,6 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
                len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
                                    MAX_USERNAME_SIZE, nls_cp);
                len *= 2; /* unicode is 2 bytes each */
-               len += 2; /* trailing null */
                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
                sec_blob->UserName.Length = cpu_to_le16(len);
                sec_blob->UserName.MaximumLength = cpu_to_le16(len);
@@ -530,9 +551,26 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
        sec_blob->WorkstationName.MaximumLength = 0;
        tmp += 2;
 
-       sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
-       sec_blob->SessionKey.Length = 0;
-       sec_blob->SessionKey.MaximumLength = 0;
+       if ((ses->server->ntlmssp.server_flags & NTLMSSP_NEGOTIATE_KEY_XCH) &&
+                       !calc_seckey(ses->server)) {
+               memcpy(tmp, ses->server->ntlmssp.ciphertext, CIFS_CPHTXT_SIZE);
+               sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
+               sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
+               sec_blob->SessionKey.MaximumLength =
+                       cpu_to_le16(CIFS_CPHTXT_SIZE);
+               tmp += CIFS_CPHTXT_SIZE;
+       } else {
+               sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
+               sec_blob->SessionKey.Length = 0;
+               sec_blob->SessionKey.MaximumLength = 0;
+       }
+
+       ses->server->sequence_number = 0;
+
+setup_ntlmv2_ret:
+       if (ses->server->tilen > 0)
+               kfree(ses->server->tiblob);
+
        return tmp - pbuffer;
 }
 
@@ -546,15 +584,14 @@ static void setup_ntlmssp_neg_req(SESSION_SETUP_ANDX *pSMB,
        return;
 }
 
-static int setup_ntlmssp_auth_req(SESSION_SETUP_ANDX *pSMB,
+static int setup_ntlmssp_auth_req(char *ntlmsspblob,
                                  struct cifsSesInfo *ses,
                                  const struct nls_table *nls, bool first_time)
 {
        int bloblen;
 
-       bloblen = build_ntlmssp_auth_blob(&pSMB->req.SecurityBlob[0], ses, nls,
+       bloblen = build_ntlmssp_auth_blob(ntlmsspblob, ses, nls,
                                          first_time);
-       pSMB->req.SecurityBlobLength = cpu_to_le16(bloblen);
 
        return bloblen;
 }
@@ -580,6 +617,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
        struct key *spnego_key = NULL;
        __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
        bool first_time;
+       char *ntlmsspblob;
 
        if (ses == NULL)
                return -EINVAL;
@@ -690,7 +728,7 @@ ssetup_ntlmssp_authenticate:
 
                if (first_time) /* should this be moved into common code
                                  with similar ntlmv2 path? */
-                       cifs_calculate_mac_key(&ses->server->mac_signing_key,
+                       cifs_calculate_session_key(&ses->server->session_key,
                                ntlm_session_key, ses->password);
                /* copy session key */
 
@@ -729,12 +767,21 @@ ssetup_ntlmssp_authenticate:
                        cpu_to_le16(sizeof(struct ntlmv2_resp));
 
                /* calculate session key */
-               setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
+               rc = setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
+               if (rc) {
+                       kfree(v2_sess_key);
+                       goto ssetup_exit;
+               }
                /* FIXME: calculate MAC key */
                memcpy(bcc_ptr, (char *)v2_sess_key,
                       sizeof(struct ntlmv2_resp));
                bcc_ptr += sizeof(struct ntlmv2_resp);
                kfree(v2_sess_key);
+               if (ses->server->tilen > 0) {
+                       memcpy(bcc_ptr, ses->server->tiblob,
+                               ses->server->tilen);
+                       bcc_ptr += ses->server->tilen;
+               }
                if (ses->capabilities & CAP_UNICODE) {
                        if (iov[0].iov_len % 2) {
                                *bcc_ptr = 0;
@@ -765,15 +812,15 @@ ssetup_ntlmssp_authenticate:
                }
                /* bail out if key is too long */
                if (msg->sesskey_len >
-                   sizeof(ses->server->mac_signing_key.data.krb5)) {
+                   sizeof(ses->server->session_key.data.krb5)) {
                        cERROR(1, "Kerberos signing key too long (%u bytes)",
                                msg->sesskey_len);
                        rc = -EOVERFLOW;
                        goto ssetup_exit;
                }
                if (first_time) {
-                       ses->server->mac_signing_key.len = msg->sesskey_len;
-                       memcpy(ses->server->mac_signing_key.data.krb5,
+                       ses->server->session_key.len = msg->sesskey_len;
+                       memcpy(ses->server->session_key.data.krb5,
                                msg->data, msg->sesskey_len);
                }
                pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
@@ -815,12 +862,26 @@ ssetup_ntlmssp_authenticate:
                        if (phase == NtLmNegotiate) {
                                setup_ntlmssp_neg_req(pSMB, ses);
                                iov[1].iov_len = sizeof(NEGOTIATE_MESSAGE);
+                               iov[1].iov_base = &pSMB->req.SecurityBlob[0];
                        } else if (phase == NtLmAuthenticate) {
                                int blob_len;
-                               blob_len = setup_ntlmssp_auth_req(pSMB, ses,
-                                                                 nls_cp,
-                                                                 first_time);
+                               ntlmsspblob = kmalloc(5 *
+                                       sizeof(struct _AUTHENTICATE_MESSAGE),
+                                       GFP_KERNEL);
+                               if (!ntlmsspblob) {
+                                       cERROR(1, "Can't allocate NTLMSSP");
+                                       rc = -ENOMEM;
+                                       goto ssetup_exit;
+                               }
+
+                               blob_len = setup_ntlmssp_auth_req(ntlmsspblob,
+                                                               ses,
+                                                               nls_cp,
+                                                               first_time);
                                iov[1].iov_len = blob_len;
+                               iov[1].iov_base = ntlmsspblob;
+                               pSMB->req.SecurityBlobLength =
+                                       cpu_to_le16(blob_len);
                                /* Make sure that we tell the server that we
                                   are using the uid that it just gave us back
                                   on the response (challenge) */
@@ -830,7 +891,6 @@ ssetup_ntlmssp_authenticate:
                                rc = -ENOSYS;
                                goto ssetup_exit;
                        }
-                       iov[1].iov_base = &pSMB->req.SecurityBlob[0];
                        /* unicode strings must be word aligned */
                        if ((iov[0].iov_len + iov[1].iov_len) % 2) {
                                *bcc_ptr = 0;