2 * fs/cifs/smb2transport.c
4 * Copyright (C) International Business Machines Corp., 2002, 2011
6 * Author(s): Steve French (sfrench@us.ibm.com)
7 * Jeremy Allison (jra@samba.org) 2006
8 * Pavel Shilovsky (pshilovsky@samba.org) 2012
10 * This library is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU Lesser General Public License as published
12 * by the Free Software Foundation; either version 2.1 of the License, or
13 * (at your option) any later version.
15 * This library is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
18 * the GNU Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with this library; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 #include <linux/list.h>
27 #include <linux/wait.h>
28 #include <linux/net.h>
29 #include <linux/delay.h>
30 #include <linux/uaccess.h>
31 #include <asm/processor.h>
32 #include <linux/mempool.h>
33 #include <linux/highmem.h>
36 #include "cifsproto.h"
37 #include "smb2proto.h"
38 #include "cifs_debug.h"
39 #include "smb2status.h"
43 smb2_crypto_shash_allocate(struct TCP_Server_Info
*server
)
48 if (server
->secmech
.sdeschmacsha256
!= NULL
)
49 return 0; /* already allocated */
51 server
->secmech
.hmacsha256
= crypto_alloc_shash("hmac(sha256)", 0, 0);
52 if (IS_ERR(server
->secmech
.hmacsha256
)) {
53 cifs_dbg(VFS
, "could not allocate crypto hmacsha256\n");
54 rc
= PTR_ERR(server
->secmech
.hmacsha256
);
55 server
->secmech
.hmacsha256
= NULL
;
59 size
= sizeof(struct shash_desc
) +
60 crypto_shash_descsize(server
->secmech
.hmacsha256
);
61 server
->secmech
.sdeschmacsha256
= kmalloc(size
, GFP_KERNEL
);
62 if (!server
->secmech
.sdeschmacsha256
) {
63 crypto_free_shash(server
->secmech
.hmacsha256
);
64 server
->secmech
.hmacsha256
= NULL
;
67 server
->secmech
.sdeschmacsha256
->shash
.tfm
= server
->secmech
.hmacsha256
;
68 server
->secmech
.sdeschmacsha256
->shash
.flags
= 0x0;
74 smb3_crypto_shash_allocate(struct TCP_Server_Info
*server
)
79 if (server
->secmech
.sdesccmacaes
!= NULL
)
80 return 0; /* already allocated */
82 rc
= smb2_crypto_shash_allocate(server
);
86 server
->secmech
.cmacaes
= crypto_alloc_shash("cmac(aes)", 0, 0);
87 if (IS_ERR(server
->secmech
.cmacaes
)) {
88 cifs_dbg(VFS
, "could not allocate crypto cmac-aes");
89 kfree(server
->secmech
.sdeschmacsha256
);
90 server
->secmech
.sdeschmacsha256
= NULL
;
91 crypto_free_shash(server
->secmech
.hmacsha256
);
92 server
->secmech
.hmacsha256
= NULL
;
93 rc
= PTR_ERR(server
->secmech
.cmacaes
);
94 server
->secmech
.cmacaes
= NULL
;
98 size
= sizeof(struct shash_desc
) +
99 crypto_shash_descsize(server
->secmech
.cmacaes
);
100 server
->secmech
.sdesccmacaes
= kmalloc(size
, GFP_KERNEL
);
101 if (!server
->secmech
.sdesccmacaes
) {
102 cifs_dbg(VFS
, "%s: Can't alloc cmacaes\n", __func__
);
103 kfree(server
->secmech
.sdeschmacsha256
);
104 server
->secmech
.sdeschmacsha256
= NULL
;
105 crypto_free_shash(server
->secmech
.hmacsha256
);
106 crypto_free_shash(server
->secmech
.cmacaes
);
107 server
->secmech
.hmacsha256
= NULL
;
108 server
->secmech
.cmacaes
= NULL
;
111 server
->secmech
.sdesccmacaes
->shash
.tfm
= server
->secmech
.cmacaes
;
112 server
->secmech
.sdesccmacaes
->shash
.flags
= 0x0;
117 static struct cifs_ses
*
118 smb2_find_smb_ses_unlocked(struct TCP_Server_Info
*server
, __u64 ses_id
)
120 struct cifs_ses
*ses
;
122 list_for_each_entry(ses
, &server
->smb_ses_list
, smb_ses_list
) {
123 if (ses
->Suid
!= ses_id
)
132 smb2_find_smb_ses(struct TCP_Server_Info
*server
, __u64 ses_id
)
134 struct cifs_ses
*ses
;
136 spin_lock(&cifs_tcp_ses_lock
);
137 ses
= smb2_find_smb_ses_unlocked(server
, ses_id
);
138 spin_unlock(&cifs_tcp_ses_lock
);
143 static struct cifs_tcon
*
144 smb2_find_smb_sess_tcon_unlocked(struct cifs_ses
*ses
, __u32 tid
)
146 struct cifs_tcon
*tcon
;
148 list_for_each_entry(tcon
, &ses
->tcon_list
, tcon_list
) {
149 if (tcon
->tid
!= tid
)
159 * Obtain tcon corresponding to the tid in the given
164 smb2_find_smb_tcon(struct TCP_Server_Info
*server
, __u64 ses_id
, __u32 tid
)
166 struct cifs_ses
*ses
;
167 struct cifs_tcon
*tcon
;
169 spin_lock(&cifs_tcp_ses_lock
);
170 ses
= smb2_find_smb_ses_unlocked(server
, ses_id
);
172 spin_unlock(&cifs_tcp_ses_lock
);
175 tcon
= smb2_find_smb_sess_tcon_unlocked(ses
, tid
);
176 spin_unlock(&cifs_tcp_ses_lock
);
182 smb2_calc_signature(struct smb_rqst
*rqst
, struct TCP_Server_Info
*server
)
185 unsigned char smb2_signature
[SMB2_HMACSHA256_SIZE
];
186 unsigned char *sigptr
= smb2_signature
;
187 struct kvec
*iov
= rqst
->rq_iov
;
188 int n_vec
= rqst
->rq_nvec
;
189 struct smb2_hdr
*smb2_pdu
= (struct smb2_hdr
*)iov
[0].iov_base
;
190 struct cifs_ses
*ses
;
192 ses
= smb2_find_smb_ses(server
, smb2_pdu
->SessionId
);
194 cifs_dbg(VFS
, "%s: Could not find session\n", __func__
);
198 memset(smb2_signature
, 0x0, SMB2_HMACSHA256_SIZE
);
199 memset(smb2_pdu
->Signature
, 0x0, SMB2_SIGNATURE_SIZE
);
201 rc
= smb2_crypto_shash_allocate(server
);
203 cifs_dbg(VFS
, "%s: shah256 alloc failed\n", __func__
);
207 rc
= crypto_shash_setkey(server
->secmech
.hmacsha256
,
208 ses
->auth_key
.response
, SMB2_NTLMV2_SESSKEY_SIZE
);
210 cifs_dbg(VFS
, "%s: Could not update with response\n", __func__
);
214 rc
= crypto_shash_init(&server
->secmech
.sdeschmacsha256
->shash
);
216 cifs_dbg(VFS
, "%s: Could not init sha256", __func__
);
220 for (i
= 0; i
< n_vec
; i
++) {
221 if (iov
[i
].iov_len
== 0)
223 if (iov
[i
].iov_base
== NULL
) {
224 cifs_dbg(VFS
, "null iovec entry\n");
228 * The first entry includes a length field (which does not get
229 * signed that occupies the first 4 bytes before the header).
232 if (iov
[0].iov_len
<= 8) /* cmd field at offset 9 */
233 break; /* nothing to sign or corrupt header */
236 &server
->secmech
.sdeschmacsha256
->shash
,
237 iov
[i
].iov_base
+ 4, iov
[i
].iov_len
- 4);
241 &server
->secmech
.sdeschmacsha256
->shash
,
242 iov
[i
].iov_base
, iov
[i
].iov_len
);
245 cifs_dbg(VFS
, "%s: Could not update with payload\n",
251 /* now hash over the rq_pages array */
252 for (i
= 0; i
< rqst
->rq_npages
; i
++) {
255 cifs_rqst_page_to_kvec(rqst
, i
, &p_iov
);
256 crypto_shash_update(&server
->secmech
.sdeschmacsha256
->shash
,
257 p_iov
.iov_base
, p_iov
.iov_len
);
258 kunmap(rqst
->rq_pages
[i
]);
261 rc
= crypto_shash_final(&server
->secmech
.sdeschmacsha256
->shash
,
264 cifs_dbg(VFS
, "%s: Could not generate sha256 hash\n", __func__
);
266 memcpy(smb2_pdu
->Signature
, sigptr
, SMB2_SIGNATURE_SIZE
);
272 generate_smb3signingkey(struct cifs_ses
*ses
)
274 unsigned char zero
= 0x0;
275 __u8 i
[4] = {0, 0, 0, 1};
276 __u8 L
[4] = {0, 0, 0, 128};
278 unsigned char prfhash
[SMB2_HMACSHA256_SIZE
];
279 unsigned char *hashptr
= prfhash
;
281 memset(prfhash
, 0x0, SMB2_HMACSHA256_SIZE
);
282 memset(ses
->smb3signingkey
, 0x0, SMB3_SIGNKEY_SIZE
);
284 rc
= smb3_crypto_shash_allocate(ses
->server
);
286 cifs_dbg(VFS
, "%s: crypto alloc failed\n", __func__
);
287 goto smb3signkey_ret
;
290 rc
= crypto_shash_setkey(ses
->server
->secmech
.hmacsha256
,
291 ses
->auth_key
.response
, SMB2_NTLMV2_SESSKEY_SIZE
);
293 cifs_dbg(VFS
, "%s: Could not set with session key\n", __func__
);
294 goto smb3signkey_ret
;
297 rc
= crypto_shash_init(&ses
->server
->secmech
.sdeschmacsha256
->shash
);
299 cifs_dbg(VFS
, "%s: Could not init sign hmac\n", __func__
);
300 goto smb3signkey_ret
;
303 rc
= crypto_shash_update(&ses
->server
->secmech
.sdeschmacsha256
->shash
,
306 cifs_dbg(VFS
, "%s: Could not update with n\n", __func__
);
307 goto smb3signkey_ret
;
310 rc
= crypto_shash_update(&ses
->server
->secmech
.sdeschmacsha256
->shash
,
313 cifs_dbg(VFS
, "%s: Could not update with label\n", __func__
);
314 goto smb3signkey_ret
;
317 rc
= crypto_shash_update(&ses
->server
->secmech
.sdeschmacsha256
->shash
,
320 cifs_dbg(VFS
, "%s: Could not update with zero\n", __func__
);
321 goto smb3signkey_ret
;
324 rc
= crypto_shash_update(&ses
->server
->secmech
.sdeschmacsha256
->shash
,
327 cifs_dbg(VFS
, "%s: Could not update with context\n", __func__
);
328 goto smb3signkey_ret
;
331 rc
= crypto_shash_update(&ses
->server
->secmech
.sdeschmacsha256
->shash
,
334 cifs_dbg(VFS
, "%s: Could not update with L\n", __func__
);
335 goto smb3signkey_ret
;
338 rc
= crypto_shash_final(&ses
->server
->secmech
.sdeschmacsha256
->shash
,
341 cifs_dbg(VFS
, "%s: Could not generate sha256 hash\n", __func__
);
342 goto smb3signkey_ret
;
345 memcpy(ses
->smb3signingkey
, hashptr
, SMB3_SIGNKEY_SIZE
);
352 smb3_calc_signature(struct smb_rqst
*rqst
, struct TCP_Server_Info
*server
)
356 unsigned char smb3_signature
[SMB2_CMACAES_SIZE
];
357 unsigned char *sigptr
= smb3_signature
;
358 struct kvec
*iov
= rqst
->rq_iov
;
359 int n_vec
= rqst
->rq_nvec
;
360 struct smb2_hdr
*smb2_pdu
= (struct smb2_hdr
*)iov
[0].iov_base
;
361 struct cifs_ses
*ses
;
363 ses
= smb2_find_smb_ses(server
, smb2_pdu
->SessionId
);
365 cifs_dbg(VFS
, "%s: Could not find session\n", __func__
);
369 memset(smb3_signature
, 0x0, SMB2_CMACAES_SIZE
);
370 memset(smb2_pdu
->Signature
, 0x0, SMB2_SIGNATURE_SIZE
);
372 rc
= crypto_shash_setkey(server
->secmech
.cmacaes
,
373 ses
->smb3signingkey
, SMB2_CMACAES_SIZE
);
376 cifs_dbg(VFS
, "%s: Could not set key for cmac aes\n", __func__
);
381 * we already allocate sdesccmacaes when we init smb3 signing key,
382 * so unlike smb2 case we do not have to check here if secmech are
385 rc
= crypto_shash_init(&server
->secmech
.sdesccmacaes
->shash
);
387 cifs_dbg(VFS
, "%s: Could not init cmac aes\n", __func__
);
391 for (i
= 0; i
< n_vec
; i
++) {
392 if (iov
[i
].iov_len
== 0)
394 if (iov
[i
].iov_base
== NULL
) {
395 cifs_dbg(VFS
, "null iovec entry");
399 * The first entry includes a length field (which does not get
400 * signed that occupies the first 4 bytes before the header).
403 if (iov
[0].iov_len
<= 8) /* cmd field at offset 9 */
404 break; /* nothing to sign or corrupt header */
407 &server
->secmech
.sdesccmacaes
->shash
,
408 iov
[i
].iov_base
+ 4, iov
[i
].iov_len
- 4);
412 &server
->secmech
.sdesccmacaes
->shash
,
413 iov
[i
].iov_base
, iov
[i
].iov_len
);
416 cifs_dbg(VFS
, "%s: Couldn't update cmac aes with payload\n",
422 /* now hash over the rq_pages array */
423 for (i
= 0; i
< rqst
->rq_npages
; i
++) {
426 cifs_rqst_page_to_kvec(rqst
, i
, &p_iov
);
427 crypto_shash_update(&server
->secmech
.sdesccmacaes
->shash
,
428 p_iov
.iov_base
, p_iov
.iov_len
);
429 kunmap(rqst
->rq_pages
[i
]);
432 rc
= crypto_shash_final(&server
->secmech
.sdesccmacaes
->shash
,
435 cifs_dbg(VFS
, "%s: Could not generate cmac aes\n", __func__
);
437 memcpy(smb2_pdu
->Signature
, sigptr
, SMB2_SIGNATURE_SIZE
);
442 /* must be called with server->srv_mutex held */
444 smb2_sign_rqst(struct smb_rqst
*rqst
, struct TCP_Server_Info
*server
)
447 struct smb2_hdr
*smb2_pdu
= rqst
->rq_iov
[0].iov_base
;
449 if (!(smb2_pdu
->Flags
& SMB2_FLAGS_SIGNED
) ||
450 server
->tcpStatus
== CifsNeedNegotiate
)
453 if (!server
->session_estab
) {
454 strncpy(smb2_pdu
->Signature
, "BSRSPYL", 8);
458 rc
= server
->ops
->calc_signature(rqst
, server
);
464 smb2_verify_signature(struct smb_rqst
*rqst
, struct TCP_Server_Info
*server
)
467 char server_response_sig
[16];
468 struct smb2_hdr
*smb2_pdu
= (struct smb2_hdr
*)rqst
->rq_iov
[0].iov_base
;
470 if ((smb2_pdu
->Command
== SMB2_NEGOTIATE
) ||
471 (smb2_pdu
->Command
== SMB2_SESSION_SETUP
) ||
472 (smb2_pdu
->Command
== SMB2_OPLOCK_BREAK
) ||
473 (!server
->session_estab
))
477 * BB what if signatures are supposed to be on for session but
478 * server does not send one? BB
481 /* Do not need to verify session setups with signature "BSRSPYL " */
482 if (memcmp(smb2_pdu
->Signature
, "BSRSPYL ", 8) == 0)
483 cifs_dbg(FYI
, "dummy signature received for smb command 0x%x\n",
487 * Save off the origiginal signature so we can modify the smb and check
488 * our calculated signature against what the server sent.
490 memcpy(server_response_sig
, smb2_pdu
->Signature
, SMB2_SIGNATURE_SIZE
);
492 memset(smb2_pdu
->Signature
, 0, SMB2_SIGNATURE_SIZE
);
494 mutex_lock(&server
->srv_mutex
);
495 rc
= server
->ops
->calc_signature(rqst
, server
);
496 mutex_unlock(&server
->srv_mutex
);
501 if (memcmp(server_response_sig
, smb2_pdu
->Signature
,
502 SMB2_SIGNATURE_SIZE
))
509 * Set message id for the request. Should be called after wait_for_free_request
510 * and when srv_mutex is held.
513 smb2_seq_num_into_buf(struct TCP_Server_Info
*server
, struct smb2_hdr
*hdr
)
515 unsigned int i
, num
= le16_to_cpu(hdr
->CreditCharge
);
517 hdr
->MessageId
= get_next_mid64(server
);
518 /* skip message numbers according to CreditCharge field */
519 for (i
= 1; i
< num
; i
++)
520 get_next_mid(server
);
523 static struct mid_q_entry
*
524 smb2_mid_entry_alloc(const struct smb2_hdr
*smb_buffer
,
525 struct TCP_Server_Info
*server
)
527 struct mid_q_entry
*temp
;
529 if (server
== NULL
) {
530 cifs_dbg(VFS
, "Null TCP session in smb2_mid_entry_alloc\n");
534 temp
= mempool_alloc(cifs_mid_poolp
, GFP_NOFS
);
538 memset(temp
, 0, sizeof(struct mid_q_entry
));
539 temp
->mid
= le64_to_cpu(smb_buffer
->MessageId
);
540 temp
->pid
= current
->pid
;
541 temp
->command
= smb_buffer
->Command
; /* Always LE */
542 temp
->when_alloc
= jiffies
;
543 temp
->server
= server
;
546 * The default is for the mid to be synchronous, so the
547 * default callback just wakes up the current task.
549 temp
->callback
= cifs_wake_up_task
;
550 temp
->callback_data
= current
;
553 atomic_inc(&midCount
);
554 temp
->mid_state
= MID_REQUEST_ALLOCATED
;
559 smb2_get_mid_entry(struct cifs_ses
*ses
, struct smb2_hdr
*buf
,
560 struct mid_q_entry
**mid
)
562 if (ses
->server
->tcpStatus
== CifsExiting
)
565 if (ses
->server
->tcpStatus
== CifsNeedReconnect
) {
566 cifs_dbg(FYI
, "tcp session dead - return to caller to retry\n");
570 if (ses
->status
== CifsNew
) {
571 if ((buf
->Command
!= SMB2_SESSION_SETUP
) &&
572 (buf
->Command
!= SMB2_NEGOTIATE
))
574 /* else ok - we are setting up session */
577 if (ses
->status
== CifsExiting
) {
578 if (buf
->Command
!= SMB2_LOGOFF
)
580 /* else ok - we are shutting down the session */
583 *mid
= smb2_mid_entry_alloc(buf
, ses
->server
);
586 spin_lock(&GlobalMid_Lock
);
587 list_add_tail(&(*mid
)->qhead
, &ses
->server
->pending_mid_q
);
588 spin_unlock(&GlobalMid_Lock
);
593 smb2_check_receive(struct mid_q_entry
*mid
, struct TCP_Server_Info
*server
,
596 unsigned int len
= get_rfc1002_length(mid
->resp_buf
);
598 struct smb_rqst rqst
= { .rq_iov
= &iov
,
601 iov
.iov_base
= (char *)mid
->resp_buf
;
602 iov
.iov_len
= get_rfc1002_length(mid
->resp_buf
) + 4;
604 dump_smb(mid
->resp_buf
, min_t(u32
, 80, len
));
605 /* convert the length into a more usable form */
606 if (len
> 24 && server
->sign
) {
609 rc
= smb2_verify_signature(&rqst
, server
);
611 cifs_dbg(VFS
, "SMB signature verification returned error = %d\n",
615 return map_smb2_to_linux_error(mid
->resp_buf
, log_error
);
619 smb2_setup_request(struct cifs_ses
*ses
, struct smb_rqst
*rqst
)
622 struct smb2_hdr
*hdr
= (struct smb2_hdr
*)rqst
->rq_iov
[0].iov_base
;
623 struct mid_q_entry
*mid
;
625 smb2_seq_num_into_buf(ses
->server
, hdr
);
627 rc
= smb2_get_mid_entry(ses
, hdr
, &mid
);
630 rc
= smb2_sign_rqst(rqst
, ses
->server
);
632 cifs_delete_mid(mid
);
639 smb2_setup_async_request(struct TCP_Server_Info
*server
, struct smb_rqst
*rqst
)
642 struct smb2_hdr
*hdr
= (struct smb2_hdr
*)rqst
->rq_iov
[0].iov_base
;
643 struct mid_q_entry
*mid
;
645 smb2_seq_num_into_buf(server
, hdr
);
647 mid
= smb2_mid_entry_alloc(hdr
, server
);
649 return ERR_PTR(-ENOMEM
);
651 rc
= smb2_sign_rqst(rqst
, server
);
653 DeleteMidQEntry(mid
);