cifs: SMB1 split: cifsencrypt.c

cifs-$(CONFIG_CIFS_ALLOW_INSECURE_LEGACY) += \

	cifssmb.o \

	smb1debug.o \

	smb1encrypt.o \

	smb1maperror.o \

	smb1misc.o \

	smb1ops.o \

	return rc;

}

/*

 * Calculate and return the CIFS signature based on the mac key and SMB PDU.

 * The 16 byte signature must be allocated by the caller. Note we only use the

 * 1st eight bytes and that the smb header signature field on input contains

 * the sequence number before this function is called. Also, this function

 * should be called with the server->srv_mutex held.

 */

static int cifs_calc_signature(struct smb_rqst *rqst,

			struct TCP_Server_Info *server, char *signature)

{

	struct md5_ctx ctx;

	if (!rqst->rq_iov || !signature || !server)

		return -EINVAL;

	if (fips_enabled) {

		cifs_dbg(VFS,

			 "MD5 signature support is disabled due to FIPS\n");

		return -EOPNOTSUPP;

	}

	md5_init(&ctx);

	md5_update(&ctx, server->session_key.response, server->session_key.len);

	return __cifs_calc_signature(

		rqst, server, signature,

		&(struct cifs_calc_sig_ctx){ .md5 = &ctx });

}

/* must be called with server->srv_mutex held */

int cifs_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server,

		   __u32 *pexpected_response_sequence_number)

{

	int rc = 0;

	char smb_signature[20];

	struct smb_hdr *cifs_pdu = (struct smb_hdr *)rqst->rq_iov[0].iov_base;

	if ((cifs_pdu == NULL) || (server == NULL))

		return -EINVAL;

	spin_lock(&server->srv_lock);

	if (!(cifs_pdu->Flags2 & SMBFLG2_SECURITY_SIGNATURE) ||

	    server->tcpStatus == CifsNeedNegotiate) {

		spin_unlock(&server->srv_lock);

		return rc;

	}

	spin_unlock(&server->srv_lock);

	if (!server->session_estab) {

		memcpy(cifs_pdu->Signature.SecuritySignature, "BSRSPYL", 8);

		return rc;

	}

	cifs_pdu->Signature.Sequence.SequenceNumber =

				cpu_to_le32(server->sequence_number);

	cifs_pdu->Signature.Sequence.Reserved = 0;

	*pexpected_response_sequence_number = ++server->sequence_number;

	++server->sequence_number;

	rc = cifs_calc_signature(rqst, server, smb_signature);

	if (rc)

		memset(cifs_pdu->Signature.SecuritySignature, 0, 8);

	else

		memcpy(cifs_pdu->Signature.SecuritySignature, smb_signature, 8);

	return rc;

}

int cifs_verify_signature(struct smb_rqst *rqst,

			  struct TCP_Server_Info *server,

			  __u32 expected_sequence_number)

{

	unsigned int rc;

	char server_response_sig[8];

	char what_we_think_sig_should_be[20];

	struct smb_hdr *cifs_pdu = (struct smb_hdr *)rqst->rq_iov[0].iov_base;

	if (cifs_pdu == NULL || server == NULL)

		return -EINVAL;

	if (!server->session_estab)

		return 0;

	if (cifs_pdu->Command == SMB_COM_LOCKING_ANDX) {

		struct smb_com_lock_req *pSMB =

			(struct smb_com_lock_req *)cifs_pdu;

		if (pSMB->LockType & LOCKING_ANDX_OPLOCK_RELEASE)

			return 0;

	}

	/* BB what if signatures are supposed to be on for session but

	   server does not send one? BB */

	/* Do not need to verify session setups with signature "BSRSPYL "  */

	if (memcmp(cifs_pdu->Signature.SecuritySignature, "BSRSPYL ", 8) == 0)

		cifs_dbg(FYI, "dummy signature received for smb command 0x%x\n",

			 cifs_pdu->Command);

	/* save off the original signature so we can modify the smb and check

		its signature against what the server sent */

	memcpy(server_response_sig, cifs_pdu->Signature.SecuritySignature, 8);

	cifs_pdu->Signature.Sequence.SequenceNumber =

					cpu_to_le32(expected_sequence_number);

	cifs_pdu->Signature.Sequence.Reserved = 0;

	cifs_server_lock(server);

	rc = cifs_calc_signature(rqst, server, what_we_think_sig_should_be);

	cifs_server_unlock(server);

	if (rc)

		return rc;

/*	cifs_dump_mem("what we think it should be: ",

		      what_we_think_sig_should_be, 16); */

	if (memcmp(server_response_sig, what_we_think_sig_should_be, 8))

		return -EACCES;

	else

		return 0;

}

/* Build a proper attribute value/target info pairs blob.

 * Fill in netbios and dns domain name and workstation name

 * and client time (total five av pairs and + one end of fields indicator.

				  enum smb3_tcon_ref_trace trace);

void tconInfoFree(struct cifs_tcon *tcon, enum smb3_tcon_ref_trace trace);

int cifs_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server,

		   __u32 *pexpected_response_sequence_number);

int cifs_verify_signature(struct smb_rqst *rqst,

			  struct TCP_Server_Info *server,

			  __u32 expected_sequence_number);

int setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp);

void cifs_crypto_secmech_release(struct TCP_Server_Info *server);

int calc_seckey(struct cifs_ses *ses);

// SPDX-License-Identifier: LGPL-2.1

/*

 *

 *   Encryption and hashing operations relating to NTLM, NTLMv2.  See MS-NLMP

 *   for more detailed information

 *

 *   Copyright (C) International Business Machines  Corp., 2005,2013

 *   Author(s): Steve French (sfrench@us.ibm.com)

 *

 */

#include <linux/fips.h>

#include <crypto/md5.h>

#include "cifsproto.h"

#include "smb1proto.h"

#include "cifs_debug.h"

/*

 * Calculate and return the CIFS signature based on the mac key and SMB PDU.

 * The 16 byte signature must be allocated by the caller. Note we only use the

 * 1st eight bytes and that the smb header signature field on input contains

 * the sequence number before this function is called. Also, this function

 * should be called with the server->srv_mutex held.

 */

static int cifs_calc_signature(struct smb_rqst *rqst,

			struct TCP_Server_Info *server, char *signature)

{

	struct md5_ctx ctx;

	if (!rqst->rq_iov || !signature || !server)

		return -EINVAL;

	if (fips_enabled) {

		cifs_dbg(VFS,

			 "MD5 signature support is disabled due to FIPS\n");

		return -EOPNOTSUPP;

	}

	md5_init(&ctx);

	md5_update(&ctx, server->session_key.response, server->session_key.len);

	return __cifs_calc_signature(

		rqst, server, signature,

		&(struct cifs_calc_sig_ctx){ .md5 = &ctx });

}

/* must be called with server->srv_mutex held */

int cifs_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server,

		   __u32 *pexpected_response_sequence_number)

{

	int rc = 0;

	char smb_signature[20];

	struct smb_hdr *cifs_pdu = (struct smb_hdr *)rqst->rq_iov[0].iov_base;

	if ((cifs_pdu == NULL) || (server == NULL))

		return -EINVAL;

	spin_lock(&server->srv_lock);

	if (!(cifs_pdu->Flags2 & SMBFLG2_SECURITY_SIGNATURE) ||

	    server->tcpStatus == CifsNeedNegotiate) {

		spin_unlock(&server->srv_lock);

		return rc;

	}

	spin_unlock(&server->srv_lock);

	if (!server->session_estab) {

		memcpy(cifs_pdu->Signature.SecuritySignature, "BSRSPYL", 8);

		return rc;

	}

	cifs_pdu->Signature.Sequence.SequenceNumber =

				cpu_to_le32(server->sequence_number);

	cifs_pdu->Signature.Sequence.Reserved = 0;

	*pexpected_response_sequence_number = ++server->sequence_number;

	++server->sequence_number;

	rc = cifs_calc_signature(rqst, server, smb_signature);

	if (rc)

		memset(cifs_pdu->Signature.SecuritySignature, 0, 8);

	else

		memcpy(cifs_pdu->Signature.SecuritySignature, smb_signature, 8);

	return rc;

}

int cifs_verify_signature(struct smb_rqst *rqst,

			  struct TCP_Server_Info *server,

			  __u32 expected_sequence_number)

{

	unsigned int rc;

	char server_response_sig[8];

	char what_we_think_sig_should_be[20];

	struct smb_hdr *cifs_pdu = (struct smb_hdr *)rqst->rq_iov[0].iov_base;

	if (cifs_pdu == NULL || server == NULL)

		return -EINVAL;

	if (!server->session_estab)

		return 0;

	if (cifs_pdu->Command == SMB_COM_LOCKING_ANDX) {

		struct smb_com_lock_req *pSMB =

			(struct smb_com_lock_req *)cifs_pdu;

		if (pSMB->LockType & LOCKING_ANDX_OPLOCK_RELEASE)

			return 0;

	}

	/* BB what if signatures are supposed to be on for session but

	   server does not send one? BB */

	/* Do not need to verify session setups with signature "BSRSPYL "  */

	if (memcmp(cifs_pdu->Signature.SecuritySignature, "BSRSPYL ", 8) == 0)

		cifs_dbg(FYI, "dummy signature received for smb command 0x%x\n",

			 cifs_pdu->Command);

	/* save off the original signature so we can modify the smb and check

		its signature against what the server sent */

	memcpy(server_response_sig, cifs_pdu->Signature.SecuritySignature, 8);

	cifs_pdu->Signature.Sequence.SequenceNumber =

					cpu_to_le32(expected_sequence_number);

	cifs_pdu->Signature.Sequence.Reserved = 0;

	cifs_server_lock(server);

	rc = cifs_calc_signature(rqst, server, what_we_think_sig_should_be);

	cifs_server_unlock(server);

	if (rc)

		return rc;

/*	cifs_dump_mem("what we think it should be: ",

		      what_we_think_sig_should_be, 16); */

	if (memcmp(server_response_sig, what_we_think_sig_should_be, 8))

		return -EACCES;

	else

		return 0;

}

void cifs_dump_detail(void *buf, size_t buf_len,

		      struct TCP_Server_Info *server);

/*

 * smb1encrypt.c

 */

int cifs_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server,

		   __u32 *pexpected_response_sequence_number);

int cifs_verify_signature(struct smb_rqst *rqst,

			  struct TCP_Server_Info *server,

			  __u32 expected_sequence_number);

/*

 * smb1maperror.c

 */