From: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: linux-cifs <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Simo Sorce <simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH 3/4] cifs: Split Kerberos authentication off CIFS_SessSetup()
Date: Thu, 1 May 2014 17:02:40 -0500 [thread overview]
Message-ID: <CADT32eJZ_FZc+vYS5_Mmhjxc0R3rc7QowmUdQym+p=9zEAHrSQ@mail.gmail.com> (raw)
In-Reply-To: <1398948065-23265-4-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Looks correct.
On Thu, May 1, 2014 at 7:41 AM, Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> Signed-off-by: Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
> fs/cifs/sess.c | 214 ++++++++++++++++++++++++++++++++++++++++-----------------
> 1 file changed, 152 insertions(+), 62 deletions(-)
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index 661b67d..869ad37 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -976,6 +976,154 @@ out:
> ses->auth_key.response = NULL;
> }
>
> +#ifdef CONFIG_CIFS_UPCALL
> +static void
> +sess_auth_kerberos(struct sess_data *sess_data)
> +{
> + int rc = 0;
> + struct smb_hdr *smb_buf;
> + SESSION_SETUP_ANDX *pSMB;
> + char *bcc_ptr;
> + struct cifs_ses *ses = sess_data->ses;
> + __u32 capabilities;
> + __u16 bytes_remaining;
> + struct key *spnego_key = NULL;
> + struct cifs_spnego_msg *msg;
> + u16 blob_len;
> +
> + /* extended security */
> + /* wct = 12 */
> + rc = sess_alloc_buffer(sess_data, 12);
> + if (rc)
> + goto out;
> +
> + pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
> + bcc_ptr = sess_data->iov[2].iov_base;
> + capabilities = cifs_ssetup_hdr(ses, pSMB);
> +
> + spnego_key = cifs_get_spnego_key(ses);
> + if (IS_ERR(spnego_key)) {
> + rc = PTR_ERR(spnego_key);
> + spnego_key = NULL;
> + goto out;
> + }
> +
> + msg = spnego_key->payload.data;
> + /*
> + * check version field to make sure that cifs.upcall is
> + * sending us a response in an expected form
> + */
> + if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
> + cifs_dbg(VFS, "incorrect version of cifs.upcall "
> + "expected %d but got %d)",
> + CIFS_SPNEGO_UPCALL_VERSION, msg->version);
> + rc = -EKEYREJECTED;
> + goto out_put_spnego_key;
> + }
> +
> + ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
> + GFP_KERNEL);
> + if (!ses->auth_key.response) {
> + cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory",
> + msg->sesskey_len);
> + rc = -ENOMEM;
> + goto out_put_spnego_key;
> + }
> + ses->auth_key.len = msg->sesskey_len;
> +
> + pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
> + capabilities |= CAP_EXTENDED_SECURITY;
> + pSMB->req.Capabilities = cpu_to_le32(capabilities);
> + sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
> + sess_data->iov[1].iov_len = msg->secblob_len;
> + pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
> +
> + if (ses->capabilities & CAP_UNICODE) {
> + /* unicode strings must be word aligned */
> + if ((sess_data->iov[0].iov_len + sess_data->iov[1].iov_len) % 2) {
> + *bcc_ptr = 0;
> + bcc_ptr++;
> + }
> + unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
> + unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
> + } else {
> + /* BB: is this right? */
> + ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
> + }
> +
> + sess_data->iov[2].iov_len = (long) bcc_ptr -
> + (long) sess_data->iov[2].iov_base;
> +
> + rc = sess_sendreceive(sess_data);
> + if (rc)
> + goto out_put_spnego_key;
> +
> + pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
> + smb_buf = (struct smb_hdr *)sess_data->iov[0].iov_base;
> +
> + if (smb_buf->WordCount != 4) {
> + rc = -EIO;
> + cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
> + goto out_put_spnego_key;
> + }
> +
> + if (le16_to_cpu(pSMB->resp.Action) & GUEST_LOGIN)
> + cifs_dbg(FYI, "Guest login\n"); /* BB mark SesInfo struct? */
> +
> + ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
> + cifs_dbg(FYI, "UID = %llu\n", ses->Suid);
> +
> + bytes_remaining = get_bcc(smb_buf);
> + bcc_ptr = pByteArea(smb_buf);
> +
> + blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
> + if (blob_len > bytes_remaining) {
> + cifs_dbg(VFS, "bad security blob length %d\n",
> + blob_len);
> + rc = -EINVAL;
> + goto out_put_spnego_key;
> + }
> + bcc_ptr += blob_len;
> + bytes_remaining -= blob_len;
> +
> + /* BB check if Unicode and decode strings */
> + if (bytes_remaining == 0) {
> + /* no string area to decode, do nothing */
> + } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
> + /* unicode string area must be word-aligned */
> + if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
> + ++bcc_ptr;
> + --bytes_remaining;
> + }
> + decode_unicode_ssetup(&bcc_ptr, bytes_remaining, ses,
> + sess_data->nls_cp);
> + } else {
> + decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,
> + sess_data->nls_cp);
> + }
> +
> +out_put_spnego_key:
> + key_invalidate(spnego_key);
> + key_put(spnego_key);
> +out:
> + sess_data->result = rc;
> + sess_data->func = NULL;
> + sess_free_buffer(sess_data);
> + sess_establish_session(sess_data);
> + kfree(ses->auth_key.response);
> + ses->auth_key.response = NULL;
> +}
> +
> +#else
> +
> +static void
> +sess_auth_kerberos(struct sess_data *sess_data)
> +{
> + cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
> + sess_data->result = -ENOSYS;
> + sess_data->func = NULL;
> +}
> +#endif /* ! CONFIG_CIFS_UPCALL */
>
> int
> CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
> @@ -993,7 +1141,6 @@ CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
> struct kvec iov[3];
> enum securityEnum type;
> __u16 action, bytes_remaining;
> - struct key *spnego_key = NULL;
> __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
> u16 blob_len;
> char *ntlmsspblob = NULL;
> @@ -1029,6 +1176,9 @@ CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
> case NTLMv2:
> sess_auth_ntlmv2(sess_data);
> goto out;
> + case Kerberos:
> + sess_auth_kerberos(sess_data);
> + goto out;
> default:
> /* Continue with the rest of the function */
> break;
> @@ -1085,63 +1235,7 @@ ssetup_ntlmssp_authenticate:
> iov[1].iov_base = NULL;
> iov[1].iov_len = 0;
>
> - if (type == Kerberos) {
> -#ifdef CONFIG_CIFS_UPCALL
> - struct cifs_spnego_msg *msg;
> -
> - spnego_key = cifs_get_spnego_key(ses);
> - if (IS_ERR(spnego_key)) {
> - rc = PTR_ERR(spnego_key);
> - spnego_key = NULL;
> - goto ssetup_exit;
> - }
> -
> - msg = spnego_key->payload.data;
> - /* check version field to make sure that cifs.upcall is
> - sending us a response in an expected form */
> - if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
> - cifs_dbg(VFS, "incorrect version of cifs.upcall "
> - "expected %d but got %d)",
> - CIFS_SPNEGO_UPCALL_VERSION, msg->version);
> - rc = -EKEYREJECTED;
> - goto ssetup_exit;
> - }
> -
> - ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
> - GFP_KERNEL);
> - if (!ses->auth_key.response) {
> - cifs_dbg(VFS,
> - "Kerberos can't allocate (%u bytes) memory",
> - msg->sesskey_len);
> - rc = -ENOMEM;
> - goto ssetup_exit;
> - }
> - ses->auth_key.len = msg->sesskey_len;
> -
> - pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
> - capabilities |= CAP_EXTENDED_SECURITY;
> - pSMB->req.Capabilities = cpu_to_le32(capabilities);
> - iov[1].iov_base = msg->data + msg->sesskey_len;
> - iov[1].iov_len = msg->secblob_len;
> - pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);
> -
> - if (ses->capabilities & CAP_UNICODE) {
> - /* unicode strings must be word aligned */
> - if ((iov[0].iov_len + iov[1].iov_len) % 2) {
> - *bcc_ptr = 0;
> - bcc_ptr++;
> - }
> - unicode_oslm_strings(&bcc_ptr, nls_cp);
> - unicode_domain_string(&bcc_ptr, ses, nls_cp);
> - } else
> - /* BB: is this right? */
> - ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
> -#else /* ! CONFIG_CIFS_UPCALL */
> - cifs_dbg(VFS, "Kerberos negotiated but upcall support disabled!\n");
> - rc = -ENOSYS;
> - goto ssetup_exit;
> -#endif /* CONFIG_CIFS_UPCALL */
> - } else if (type == RawNTLMSSP) {
> + if (type == RawNTLMSSP) {
> if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
> cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
> rc = -ENOSYS;
> @@ -1282,10 +1376,6 @@ ssetup_ntlmssp_authenticate:
> }
>
> ssetup_exit:
> - if (spnego_key) {
> - key_invalidate(spnego_key);
> - key_put(spnego_key);
> - }
> kfree(str_area);
> kfree(ntlmsspblob);
> ntlmsspblob = NULL;
> --
> 1.8.4.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-05-01 22:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-01 12:41 [PATCH 0/4 v2] Split CIFS_SessSetup() Sachin Prabhu
[not found] ` <1398948065-23265-1-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-01 12:41 ` [PATCH 1/4] cifs: Split lanman auth from CIFS_SessSetup() Sachin Prabhu
[not found] ` <1398948065-23265-2-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-01 15:00 ` Shirish Pargaonkar
2014-05-01 12:41 ` [PATCH 2/4] cifs: Split ntlm and ntlmv2 authentication methods off CIFS_SessSetup() Sachin Prabhu
[not found] ` <1398948065-23265-3-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-01 15:31 ` Shirish Pargaonkar
[not found] ` <CADT32e+uuZbXhGyCujnZ2Ed+2nihJeRMduZvqD21yCH=_i-YhA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-05-01 16:26 ` Sachin Prabhu
2014-05-01 20:01 ` Shirish Pargaonkar
[not found] ` <CADT32e+VHgmUJoZfR0FJfhBGMLHzG0EfsFDAP+Ex2ikT9353LA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-05-02 13:17 ` Sachin Prabhu
2014-05-01 12:41 ` [PATCH 3/4] cifs: Split Kerberos authentication " Sachin Prabhu
[not found] ` <1398948065-23265-4-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-01 22:02 ` Shirish Pargaonkar [this message]
2014-05-01 12:41 ` [PATCH 4/4] cifs: Separate rawntlmssp auth from CIFS_SessSetup() Sachin Prabhu
[not found] ` <1398948065-23265-5-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-01 22:01 ` Shirish Pargaonkar
2014-05-01 12:57 ` [PATCH 0/4 v2] Split CIFS_SessSetup() Simo
-- strict thread matches above, loose matches on Subject: below --
2014-05-02 13:21 [PATCH 0/4 v3] " Sachin Prabhu
[not found] ` <1399036891-15689-1-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-02 13:21 ` [PATCH 3/4] cifs: Split Kerberos authentication off CIFS_SessSetup() Sachin Prabhu
[not found] ` <1399036891-15689-4-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-05-02 19:27 ` Jeff Layton
2014-04-28 14:12 [PATCH 0/4] RFC: Split CIFS_SessSetup() Sachin Prabhu
[not found] ` <1398694350-8526-1-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-28 14:12 ` [PATCH 3/4] cifs: Split Kerberos authentication off CIFS_SessSetup() Sachin Prabhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADT32eJZ_FZc+vYS5_Mmhjxc0R3rc7QowmUdQym+p=9zEAHrSQ@mail.gmail.com' \
--to=shirishpargaonkar-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.