sess.c 18.0 KB
Newer Older
1 2 3 4 5
/*
 *   fs/cifs/sess.c
 *
 *   SMB/CIFS session setup handling routines
 *
S
Steve French 已提交
6
 *   Copyright (c) International Business Machines  Corp., 2006, 2007
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as published
 *   by the Free Software Foundation; either version 2.1 of the License, or
 *   (at your option) any later version.
 *
 *   This library is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 *   the GNU Lesser General Public License for more details.
 *
 *   You should have received a copy of the GNU Lesser General Public License
 *   along with this library; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include "cifspdu.h"
#include "cifsglob.h"
#include "cifsproto.h"
#include "cifs_unicode.h"
#include "cifs_debug.h"
#include "ntlmssp.h"
#include "nterr.h"
31
#include <linux/utsname.h>
32
#include "cifs_spnego.h"
33 34

extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
S
Steve French 已提交
35
			 unsigned char *p24);
36 37 38 39 40 41 42 43 44 45 46 47 48

static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB)
{
	__u32 capabilities = 0;

	/* init fields common to all four types of SessSetup */
	/* note that header is initialized to zero in header_assemble */
	pSMB->req.AndXCommand = 0xFF;
	pSMB->req.MaxBufferSize = cpu_to_le16(ses->server->maxBuf);
	pSMB->req.MaxMpxCount = cpu_to_le16(ses->server->maxReq);

	/* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */

S
Steve French 已提交
49
	/* BB verify whether signing required on neg or just on auth frame
50 51 52 53 54
	   (and NTLM case) */

	capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
			CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;

S
Steve French 已提交
55 56
	if (ses->server->secMode &
	    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
57 58 59 60 61 62 63 64 65 66 67 68 69 70
		pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;

	if (ses->capabilities & CAP_UNICODE) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_UNICODE;
		capabilities |= CAP_UNICODE;
	}
	if (ses->capabilities & CAP_STATUS32) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_ERR_STATUS;
		capabilities |= CAP_STATUS32;
	}
	if (ses->capabilities & CAP_DFS) {
		pSMB->req.hdr.Flags2 |= SMBFLG2_DFS;
		capabilities |= CAP_DFS;
	}
71
	if (ses->capabilities & CAP_UNIX)
72 73 74 75 76 77
		capabilities |= CAP_UNIX;

	/* BB check whether to init vcnum BB */
	return capabilities;
}

78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
static void
unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* Copy OS version */
	bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32,
				  nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS,
				  32, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* trailing null */

	*pbcc_area = bcc_ptr;
}

static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses,
				   const struct nls_table *nls_cp)
{
	char *bcc_ptr = *pbcc_area;
	int bytes_ret = 0;

	/* copy domain */
	if (ses->domainName == NULL) {
		/* Sending null domain better than using a bogus domain name (as
		we did briefly in 2.6.18) since server will use its default */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
		bytes_ret = 0;
	} else
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName,
					  256, nls_cp);
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2;  /* account for null terminator */

	*pbcc_area = bcc_ptr;
}


S
Steve French 已提交
124
static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
125
				   const struct nls_table *nls_cp)
126
{
S
Steve French 已提交
127
	char *bcc_ptr = *pbcc_area;
128 129 130 131 132
	int bytes_ret = 0;

	/* BB FIXME add check that strings total less
	than 335 or will need to send them as arrays */

133 134
	/* unicode strings, must be word aligned before the call */
/*	if ((long) bcc_ptr % 2)	{
135 136
		*bcc_ptr = 0;
		bcc_ptr++;
137
	} */
138
	/* copy user */
S
Steve French 已提交
139
	if (ses->userName == NULL) {
140 141 142
		/* null user mount */
		*bcc_ptr = 0;
		*(bcc_ptr+1) = 0;
143 144 145 146 147 148 149
	} else { /* 300 should be long enough for any conceivable user name */
		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
					  300, nls_cp);
	}
	bcc_ptr += 2 * bytes_ret;
	bcc_ptr += 2; /* account for null termination */

150 151
	unicode_domain_string(&bcc_ptr, ses, nls_cp);
	unicode_oslm_strings(&bcc_ptr, nls_cp);
152 153 154 155

	*pbcc_area = bcc_ptr;
}

S
Steve French 已提交
156
static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
S
Steve French 已提交
157
				 const struct nls_table *nls_cp)
158
{
S
Steve French 已提交
159
	char *bcc_ptr = *pbcc_area;
160 161 162

	/* copy user */
	/* BB what about null user mounts - check that we do this BB */
S
Steve French 已提交
163 164 165 166 167 168
	/* copy user */
	if (ses->userName == NULL) {
		/* BB what about null user mounts - check that we do this BB */
	} else { /* 300 should be long enough for any conceivable user name */
		strncpy(bcc_ptr, ses->userName, 300);
	}
169
	/* BB improve check for overflow */
S
Steve French 已提交
170
	bcc_ptr += strnlen(ses->userName, 300);
171
	*bcc_ptr = 0;
S
Steve French 已提交
172
	bcc_ptr++; /* account for null termination */
173

S
Steve French 已提交
174 175 176 177
	/* copy domain */

	if (ses->domainName != NULL) {
		strncpy(bcc_ptr, ses->domainName, 256);
178
		bcc_ptr += strnlen(ses->domainName, 256);
S
Steve French 已提交
179
	} /* else we will send a null domain name
180
	     so the server will default to its own domain */
181 182 183 184 185 186 187
	*bcc_ptr = 0;
	bcc_ptr++;

	/* BB check for overflow here */

	strcpy(bcc_ptr, "Linux version ");
	bcc_ptr += strlen("Linux version ");
188 189
	strcpy(bcc_ptr, init_utsname()->release);
	bcc_ptr += strlen(init_utsname()->release) + 1;
190 191 192 193

	strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
	bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;

S
Steve French 已提交
194
	*pbcc_area = bcc_ptr;
195 196
}

S
Steve French 已提交
197 198 199
static int decode_unicode_ssetup(char **pbcc_area, int bleft,
				 struct cifsSesInfo *ses,
				 const struct nls_table *nls_cp)
200 201 202
{
	int rc = 0;
	int words_left, len;
S
Steve French 已提交
203
	char *data = *pbcc_area;
204 205 206



S
Steve French 已提交
207
	cFYI(1, ("bleft %d", bleft));
208 209


210 211 212 213 214 215 216
	/* SMB header is unaligned, so cifs servers word align start of
	   Unicode strings */
	data++;
	bleft--; /* Windows servers do not always double null terminate
		    their final Unicode string - in which case we
		    now will not attempt to decode the byte of junk
		    which follows it */
217

218 219 220 221 222 223 224 225
	words_left = bleft / 2;

	/* save off server operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

/* We look for obvious messed up bcc or strings in response so we do not go off
   the end since (at least) WIN2K and Windows XP have a major bug in not null
   terminating last Unicode string in response  */
S
Steve French 已提交
226
	if (len >= words_left)
227 228
		return rc;

229
	kfree(ses->serverOS);
230 231
	/* UTF-8 string will not grow more than four times as big as UCS-16 */
	ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
232 233
	if (ses->serverOS != NULL)
		cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len, nls_cp);
234 235 236 237 238 239
	data += 2 * (len + 1);
	words_left -= len + 1;

	/* save off server network operating system */
	len = UniStrnlen((wchar_t *) data, words_left);

S
Steve French 已提交
240
	if (len >= words_left)
241 242
		return rc;

243
	kfree(ses->serverNOS);
244
	ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
S
Steve French 已提交
245
	if (ses->serverNOS != NULL) {
246 247
		cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
				   nls_cp);
S
Steve French 已提交
248 249
		if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
			cFYI(1, ("NT4 server"));
250 251 252 253 254 255
			ses->flags |= CIFS_SES_NT4;
		}
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

S
Steve French 已提交
256 257 258 259 260 261
	/* save off server domain */
	len = UniStrnlen((wchar_t *) data, words_left);

	if (len > words_left)
		return rc;

262
	kfree(ses->serverDomain);
S
Steve French 已提交
263 264 265 266 267 268 269 270 271 272 273
	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
	if (ses->serverDomain != NULL) {
		cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
				   nls_cp);
		ses->serverDomain[2*len] = 0;
		ses->serverDomain[(2*len) + 1] = 0;
	}
	data += 2 * (len + 1);
	words_left -= len + 1;

	cFYI(1, ("words left: %d", words_left));
274 275 276 277

	return rc;
}

S
Steve French 已提交
278 279 280
static int decode_ascii_ssetup(char **pbcc_area, int bleft,
			       struct cifsSesInfo *ses,
			       const struct nls_table *nls_cp)
281 282 283
{
	int rc = 0;
	int len;
S
Steve French 已提交
284
	char *bcc_ptr = *pbcc_area;
285

S
Steve French 已提交
286
	cFYI(1, ("decode sessetup ascii. bleft %d", bleft));
287

288
	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
289
	if (len >= bleft)
290
		return rc;
291

292
	kfree(ses->serverOS);
293 294

	ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
295
	if (ses->serverOS)
296
		strncpy(ses->serverOS, bcc_ptr, len);
S
Steve French 已提交
297 298
	if (strncmp(ses->serverOS, "OS/2", 4) == 0) {
			cFYI(1, ("OS/2 server"));
299 300
			ses->flags |= CIFS_SES_OS2;
	}
301 302 303 304 305

	bcc_ptr += len + 1;
	bleft -= len + 1;

	len = strnlen(bcc_ptr, bleft);
S
Steve French 已提交
306
	if (len >= bleft)
307 308
		return rc;

309
	kfree(ses->serverNOS);
310 311

	ses->serverNOS = kzalloc(len + 1, GFP_KERNEL);
S
Steve French 已提交
312
	if (ses->serverNOS)
313 314 315 316 317
		strncpy(ses->serverNOS, bcc_ptr, len);

	bcc_ptr += len + 1;
	bleft -= len + 1;

S
Steve French 已提交
318 319 320
	len = strnlen(bcc_ptr, bleft);
	if (len > bleft)
		return rc;
321

322 323 324 325 326
	/* No domain field in LANMAN case. Domain is
	   returned by old servers in the SMB negprot response */
	/* BB For newer servers which do not support Unicode,
	   but thus do return domain here we could add parsing
	   for it later, but it is not very important */
S
Steve French 已提交
327
	cFYI(1, ("ascii: bytes left %d", bleft));
328 329 330 331

	return rc;
}

S
Steve French 已提交
332
int
333 334 335 336 337 338 339
CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
		const struct nls_table *nls_cp)
{
	int rc = 0;
	int wct;
	struct smb_hdr *smb_buf;
	char *bcc_ptr;
340
	char *str_area;
341 342 343
	SESSION_SETUP_ANDX *pSMB;
	__u32 capabilities;
	int count;
344 345
	int resp_buf_type;
	struct kvec iov[3];
346 347 348
	enum securityEnum type;
	__u16 action;
	int bytes_remaining;
349
	struct key *spnego_key = NULL;
350

S
Steve French 已提交
351
	if (ses == NULL)
352 353 354
		return -EINVAL;

	type = ses->server->secType;
355

S
Steve French 已提交
356 357
	cFYI(1, ("sess setup type %d", type));
	if (type == LANMAN) {
358 359 360 361 362 363 364 365 366
#ifndef CONFIG_CIFS_WEAK_PW_HASH
		/* LANMAN and plaintext are less secure and off by default.
		So we make this explicitly be turned on in kconfig (in the
		build) and turned on at runtime (changed from the default)
		in proc/fs/cifs or via mount parm.  Unfortunately this is
		needed for old Win (e.g. Win95), some obscure NAS and OS/2 */
		return -EOPNOTSUPP;
#endif
		wct = 10; /* lanman 2 style sessionsetup */
S
Steve French 已提交
367
	} else if ((type == NTLM) || (type == NTLMv2)) {
368
		/* For NTLMv2 failures eventually may need to retry NTLM */
369
		wct = 13; /* old style NTLM sessionsetup */
S
Steve French 已提交
370
	} else /* same size: negotiate or auth, NTLMSSP or extended security */
371 372 373 374
		wct = 12;

	rc = small_smb_init_no_tc(SMB_COM_SESSION_SETUP_ANDX, wct, ses,
			    (void **)&smb_buf);
S
Steve French 已提交
375
	if (rc)
376 377 378 379 380
		return rc;

	pSMB = (SESSION_SETUP_ANDX *)smb_buf;

	capabilities = cifs_ssetup_hdr(ses, pSMB);
381

382 383 384 385 386 387
	/* we will send the SMB in three pieces:
	a fixed length beginning part, an optional
	SPNEGO blob (which can be zero length), and a
	last part which will include the strings
	and rest of bcc area. This allows us to avoid
	a large buffer 17K allocation */
S
Steve French 已提交
388 389
	iov[0].iov_base = (char *)pSMB;
	iov[0].iov_len = smb_buf->smb_buf_length + 4;
390

391 392 393 394
	/* setting this here allows the code at the end of the function
	   to free the request buffer if there's an error */
	resp_buf_type = CIFS_SMALL_BUFFER;

395 396
	/* 2000 big enough to fit max user, domain, NOS name etc. */
	str_area = kmalloc(2000, GFP_KERNEL);
397
	if (str_area == NULL) {
398 399
		rc = -ENOMEM;
		goto ssetup_exit;
400
	}
401
	bcc_ptr = str_area;
402

403 404
	ses->flags &= ~CIFS_SES_LANMAN;

405 406 407
	iov[1].iov_base = NULL;
	iov[1].iov_len = 0;

S
Steve French 已提交
408
	if (type == LANMAN) {
409
#ifdef CONFIG_CIFS_WEAK_PW_HASH
410
		char lnm_session_key[CIFS_SESS_KEY_SIZE];
411 412 413

		/* no capabilities flags in old lanman negotiation */

S
Steve French 已提交
414
		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
415 416 417
		/* BB calculate hash with password */
		/* and copy into bcc */

418
		calc_lanman_hash(ses, lnm_session_key);
S
Steve French 已提交
419
		ses->flags |= CIFS_SES_LANMAN;
420 421
		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
		bcc_ptr += CIFS_SESS_KEY_SIZE;
422 423 424 425 426 427

		/* can not sign if LANMAN negotiated so no need
		to calculate signing key? but what if server
		changed to do higher than lanman dialect and
		we reconnected would we ever calc signing_key? */

S
Steve French 已提交
428
		cFYI(1, ("Negotiating LANMAN setting up strings"));
429 430
		/* Unicode not allowed for LANMAN dialects */
		ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
S
Steve French 已提交
431
#endif
432
	} else if (type == NTLM) {
433
		char ntlm_session_key[CIFS_SESS_KEY_SIZE];
434 435 436

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
		pSMB->req_no_secext.CaseInsensitivePasswordLength =
437
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
438
		pSMB->req_no_secext.CaseSensitivePasswordLength =
439
			cpu_to_le16(CIFS_SESS_KEY_SIZE);
440

441 442 443 444
		/* calculate session key */
		SMBNTencrypt(ses->password, ses->server->cryptKey,
			     ntlm_session_key);

S
Steve French 已提交
445
		if (first_time) /* should this be moved into common code
446
				  with similar ntlmv2 path? */
447
			cifs_calculate_mac_key(&ses->server->mac_signing_key,
448 449 450
				ntlm_session_key, ses->password);
		/* copy session key */

S
Steve French 已提交
451
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
452
		bcc_ptr += CIFS_SESS_KEY_SIZE;
S
Steve French 已提交
453
		memcpy(bcc_ptr, (char *)ntlm_session_key, CIFS_SESS_KEY_SIZE);
454
		bcc_ptr += CIFS_SESS_KEY_SIZE;
S
Steve French 已提交
455
		if (ses->capabilities & CAP_UNICODE) {
456 457 458
			/* unicode strings must be word aligned */
			if (iov[0].iov_len % 2) {
				*bcc_ptr = 0;
S
Steve French 已提交
459 460
				bcc_ptr++;
			}
461
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
462
		} else
463 464
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
	} else if (type == NTLMv2) {
S
Steve French 已提交
465
		char *v2_sess_key =
S
Steve French 已提交
466
			kmalloc(sizeof(struct ntlmv2_resp), GFP_KERNEL);
S
Steve French 已提交
467 468 469

		/* BB FIXME change all users of v2_sess_key to
		   struct ntlmv2_resp */
470

S
Steve French 已提交
471
		if (v2_sess_key == NULL) {
472 473
			rc = -ENOMEM;
			goto ssetup_exit;
474 475 476 477 478 479 480 481 482
		}

		pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);

		/* LM2 password would be here if we supported it */
		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
		/*	cpu_to_le16(LM2_SESS_KEY_SIZE); */

		pSMB->req_no_secext.CaseSensitivePasswordLength =
S
Steve French 已提交
483
			cpu_to_le16(sizeof(struct ntlmv2_resp));
484 485

		/* calculate session key */
S
Steve French 已提交
486
		setup_ntlmv2_rsp(ses, v2_sess_key, nls_cp);
S
Steve French 已提交
487 488
		if (first_time) /* should this be moved into common code
				   with similar ntlmv2 path? */
489 490 491 492 493 494 495
		/*   cifs_calculate_ntlmv2_mac_key(ses->server->mac_signing_key,
				response BB FIXME, v2_sess_key); */

		/* copy session key */

	/*	memcpy(bcc_ptr, (char *)ntlm_session_key,LM2_SESS_KEY_SIZE);
		bcc_ptr += LM2_SESS_KEY_SIZE; */
S
Steve French 已提交
496 497
		memcpy(bcc_ptr, (char *)v2_sess_key,
		       sizeof(struct ntlmv2_resp));
S
Steve French 已提交
498 499
		bcc_ptr += sizeof(struct ntlmv2_resp);
		kfree(v2_sess_key);
S
Steve French 已提交
500 501
		if (ses->capabilities & CAP_UNICODE) {
			if (iov[0].iov_len % 2) {
502
				*bcc_ptr = 0;
503 504
				bcc_ptr++;
			}
505
			unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
506
		} else
507
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
508
	} else if (type == Kerberos || type == MSKerberos) {
509 510 511 512 513 514 515 516 517 518
#ifdef CONFIG_CIFS_UPCALL
		struct cifs_spnego_msg *msg;
		spnego_key = cifs_get_spnego_key(ses);
		if (IS_ERR(spnego_key)) {
			rc = PTR_ERR(spnego_key);
			spnego_key = NULL;
			goto ssetup_exit;
		}

		msg = spnego_key->payload.data;
519 520 521 522 523 524 525 526 527
		/* check version field to make sure that cifs.upcall is
		   sending us a response in an expected form */
		if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
			cERROR(1, ("incorrect version of cifs.upcall (expected"
				   " %d but got %d)",
				   CIFS_SPNEGO_UPCALL_VERSION, msg->version));
			rc = -EKEYREJECTED;
			goto ssetup_exit;
		}
528 529 530 531 532 533 534 535
		/* bail out if key is too long */
		if (msg->sesskey_len >
		    sizeof(ses->server->mac_signing_key.data.krb5)) {
			cERROR(1, ("Kerberos signing key too long (%u bytes)",
				msg->sesskey_len));
			rc = -EOVERFLOW;
			goto ssetup_exit;
		}
536 537 538 539 540
		if (first_time) {
			ses->server->mac_signing_key.len = msg->sesskey_len;
			memcpy(ses->server->mac_signing_key.data.krb5,
				msg->data, msg->sesskey_len);
		}
541 542 543
		pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
		capabilities |= CAP_EXTENDED_SECURITY;
		pSMB->req.Capabilities = cpu_to_le32(capabilities);
544 545 546 547 548 549
		iov[1].iov_base = msg->data + msg->sesskey_len;
		iov[1].iov_len = msg->secblob_len;
		pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len);

		if (ses->capabilities & CAP_UNICODE) {
			/* unicode strings must be word aligned */
550
			if ((iov[0].iov_len + iov[1].iov_len) % 2) {
551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567
				*bcc_ptr = 0;
				bcc_ptr++;
			}
			unicode_oslm_strings(&bcc_ptr, nls_cp);
			unicode_domain_string(&bcc_ptr, ses, nls_cp);
		} else
		/* BB: is this right? */
			ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
#else /* ! CONFIG_CIFS_UPCALL */
		cERROR(1, ("Kerberos negotiated but upcall support disabled!"));
		rc = -ENOSYS;
		goto ssetup_exit;
#endif /* CONFIG_CIFS_UPCALL */
	} else {
		cERROR(1, ("secType %d not supported!", type));
		rc = -ENOSYS;
		goto ssetup_exit;
568 569
	}

570 571 572 573
	iov[2].iov_base = str_area;
	iov[2].iov_len = (long) bcc_ptr - (long) str_area;

	count = iov[1].iov_len + iov[2].iov_len;
574 575 576 577
	smb_buf->smb_buf_length += count;

	BCC_LE(smb_buf) = cpu_to_le16(count);

578
	rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
579
			  CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
580 581
	/* SMB request buf freed in SendReceive2 */

S
Steve French 已提交
582 583
	cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
	if (rc)
584 585 586 587 588
		goto ssetup_exit;

	pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
	smb_buf = (struct smb_hdr *)iov[0].iov_base;

S
Steve French 已提交
589
	if ((smb_buf->WordCount != 3) && (smb_buf->WordCount != 4)) {
590
		rc = -EIO;
S
Steve French 已提交
591
		cERROR(1, ("bad word count %d", smb_buf->WordCount));
592 593 594 595
		goto ssetup_exit;
	}
	action = le16_to_cpu(pSMB->resp.Action);
	if (action & GUEST_LOGIN)
596
		cFYI(1, ("Guest login")); /* BB mark SesInfo struct? */
597 598 599 600 601 602 603
	ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
	cFYI(1, ("UID = %d ", ses->Suid));
	/* response can have either 3 or 4 word count - Samba sends 3 */
	/* and lanman response is 3 */
	bytes_remaining = BCC(smb_buf);
	bcc_ptr = pByteArea(smb_buf);

S
Steve French 已提交
604
	if (smb_buf->WordCount == 4) {
605 606 607
		__u16 blob_len;
		blob_len = le16_to_cpu(pSMB->resp.SecurityBlobLength);
		bcc_ptr += blob_len;
S
Steve French 已提交
608 609
		if (blob_len > bytes_remaining) {
			cERROR(1, ("bad security blob length %d", blob_len));
610 611 612 613
			rc = -EINVAL;
			goto ssetup_exit;
		}
		bytes_remaining -= blob_len;
S
Steve French 已提交
614
	}
615 616

	/* BB check if Unicode and decode strings */
S
Steve French 已提交
617
	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
618 619 620
		rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
						   ses, nls_cp);
	else
621 622
		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
					 ses, nls_cp);
623

624
ssetup_exit:
625 626
	if (spnego_key)
		key_put(spnego_key);
627
	kfree(str_area);
S
Steve French 已提交
628 629
	if (resp_buf_type == CIFS_SMALL_BUFFER) {
		cFYI(1, ("ssetup freeing small buf %p", iov[0].iov_base));
630
		cifs_small_buf_release(iov[0].iov_base);
S
Steve French 已提交
631
	} else if (resp_buf_type == CIFS_LARGE_BUFFER)
632 633 634 635
		cifs_buf_release(iov[0].iov_base);

	return rc;
}