diff options
| author | Jeff Layton <jlayton@redhat.com> | 2013-05-26 07:01:00 -0400 |
|---|---|---|
| committer | Steve French <smfrench@gmail.com> | 2013-06-24 02:56:43 -0400 |
| commit | 38d77c50b4f4e3ea1687e119871364f1c8d2f531 (patch) | |
| tree | b222f1aa85155a24fafcabea2f8e8c17197fb2ae /fs/cifs/smb2pdu.c | |
| parent | 1e3cc57e474867771aba2bdf23d0c7d8fb5e4822 (diff) | |
cifs: track the enablement of signing in the TCP_Server_Info
Currently, we determine this according to flags in the sec_mode, flags
in the global_secflags and via other methods. That makes the semantics
very hard to follow and there are corner cases where we don't handle
this correctly.
Add a new bool to the TCP_Server_Info that acts as a simple flag to tell
us whether signing is enabled on this connection or not, and fix up the
places that need to determine this to use that flag.
This is a bit weird for the SMB2 case, where signing is per-session.
SMB2 needs work in this area already though. The existing SMB2 code has
similar logic to what we're using here, so there should be no real
change in behavior. These changes should make it easier to implement
per-session signing in the future though.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Pavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs/smb2pdu.c')
| -rw-r--r-- | fs/cifs/smb2pdu.c | 40 |
1 files changed, 17 insertions, 23 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 1609699e7bec..ad8ef10de0bd 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c | |||
| @@ -119,8 +119,7 @@ smb2_hdr_assemble(struct smb2_hdr *hdr, __le16 smb2_cmd /* command */ , | |||
| 119 | /* BB how does SMB2 do case sensitive? */ | 119 | /* BB how does SMB2 do case sensitive? */ |
| 120 | /* if (tcon->nocase) | 120 | /* if (tcon->nocase) |
| 121 | hdr->Flags |= SMBFLG_CASELESS; */ | 121 | hdr->Flags |= SMBFLG_CASELESS; */ |
| 122 | if (tcon->ses && tcon->ses->server && | 122 | if (tcon->ses && tcon->ses->server && tcon->ses->server->sign) |
| 123 | (tcon->ses->server->sec_mode & SECMODE_SIGN_REQUIRED)) | ||
| 124 | hdr->Flags |= SMB2_FLAGS_SIGNED; | 123 | hdr->Flags |= SMB2_FLAGS_SIGNED; |
| 125 | out: | 124 | out: |
| 126 | pdu->StructureSize2 = cpu_to_le16(parmsize); | 125 | pdu->StructureSize2 = cpu_to_le16(parmsize); |
| @@ -330,7 +329,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) | |||
| 330 | int resp_buftype; | 329 | int resp_buftype; |
| 331 | struct TCP_Server_Info *server = ses->server; | 330 | struct TCP_Server_Info *server = ses->server; |
| 332 | unsigned int sec_flags; | 331 | unsigned int sec_flags; |
| 333 | u16 temp = 0; | ||
| 334 | int blob_offset, blob_length; | 332 | int blob_offset, blob_length; |
| 335 | char *security_blob; | 333 | char *security_blob; |
| 336 | int flags = CIFS_NEG_OP; | 334 | int flags = CIFS_NEG_OP; |
| @@ -362,12 +360,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) | |||
| 362 | inc_rfc1001_len(req, 2); | 360 | inc_rfc1001_len(req, 2); |
| 363 | 361 | ||
| 364 | /* only one of SMB2 signing flags may be set in SMB2 request */ | 362 | /* only one of SMB2 signing flags may be set in SMB2 request */ |
| 365 | if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) | 363 | if (ses->sign) |
| 366 | temp = SMB2_NEGOTIATE_SIGNING_REQUIRED; | 364 | req->SecurityMode = SMB2_NEGOTIATE_SIGNING_REQUIRED; |
| 367 | else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */ | 365 | else if (global_secflags & CIFSSEC_MAY_SIGN) |
| 368 | temp = SMB2_NEGOTIATE_SIGNING_ENABLED; | 366 | req->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED; |
| 369 | 367 | else | |
| 370 | req->SecurityMode = cpu_to_le16(temp); | 368 | req->SecurityMode = 0; |
| 371 | 369 | ||
| 372 | req->Capabilities = cpu_to_le32(ses->server->vals->req_capabilities); | 370 | req->Capabilities = cpu_to_le32(ses->server->vals->req_capabilities); |
| 373 | 371 | ||
| @@ -424,8 +422,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) | |||
| 424 | goto neg_exit; | 422 | goto neg_exit; |
| 425 | } | 423 | } |
| 426 | 424 | ||
| 427 | cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags); | 425 | rc = cifs_enable_signing(server, ses->sign); |
| 428 | rc = cifs_enable_signing(server, sec_flags); | ||
| 429 | #ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */ | 426 | #ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */ |
| 430 | if (rc) | 427 | if (rc) |
| 431 | goto neg_exit; | 428 | goto neg_exit; |
| @@ -457,7 +454,6 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, | |||
| 457 | __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ | 454 | __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ |
| 458 | struct TCP_Server_Info *server = ses->server; | 455 | struct TCP_Server_Info *server = ses->server; |
| 459 | unsigned int sec_flags; | 456 | unsigned int sec_flags; |
| 460 | u8 temp = 0; | ||
| 461 | u16 blob_length = 0; | 457 | u16 blob_length = 0; |
| 462 | char *security_blob; | 458 | char *security_blob; |
| 463 | char *ntlmssp_blob = NULL; | 459 | char *ntlmssp_blob = NULL; |
| @@ -502,14 +498,13 @@ ssetup_ntlmssp_authenticate: | |||
| 502 | req->hdr.CreditRequest = cpu_to_le16(3); | 498 | req->hdr.CreditRequest = cpu_to_le16(3); |
| 503 | 499 | ||
| 504 | /* only one of SMB2 signing flags may be set in SMB2 request */ | 500 | /* only one of SMB2 signing flags may be set in SMB2 request */ |
| 505 | if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) | 501 | if (server->sign) |
| 506 | temp = SMB2_NEGOTIATE_SIGNING_REQUIRED; | 502 | req->SecurityMode = SMB2_NEGOTIATE_SIGNING_REQUIRED; |
| 507 | else if (ses->server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) | 503 | else if (global_secflags & CIFSSEC_MAY_SIGN) /* one flag unlike MUST_ */ |
| 508 | temp = SMB2_NEGOTIATE_SIGNING_REQUIRED; | 504 | req->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED; |
| 509 | else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */ | 505 | else |
| 510 | temp = SMB2_NEGOTIATE_SIGNING_ENABLED; | 506 | req->SecurityMode = 0; |
| 511 | 507 | ||
| 512 | req->SecurityMode = temp; | ||
| 513 | req->Capabilities = 0; | 508 | req->Capabilities = 0; |
| 514 | req->Channel = 0; /* MBZ */ | 509 | req->Channel = 0; /* MBZ */ |
| 515 | 510 | ||
| @@ -652,7 +647,7 @@ SMB2_logoff(const unsigned int xid, struct cifs_ses *ses) | |||
| 652 | 647 | ||
| 653 | /* since no tcon, smb2_init can not do this, so do here */ | 648 | /* since no tcon, smb2_init can not do this, so do here */ |
| 654 | req->hdr.SessionId = ses->Suid; | 649 | req->hdr.SessionId = ses->Suid; |
| 655 | if (server->sec_mode & SECMODE_SIGN_REQUIRED) | 650 | if (server->sign) |
| 656 | req->hdr.Flags |= SMB2_FLAGS_SIGNED; | 651 | req->hdr.Flags |= SMB2_FLAGS_SIGNED; |
| 657 | 652 | ||
| 658 | rc = SendReceiveNoRsp(xid, ses, (char *) &req->hdr, 0); | 653 | rc = SendReceiveNoRsp(xid, ses, (char *) &req->hdr, 0); |
| @@ -1357,8 +1352,7 @@ smb2_readv_callback(struct mid_q_entry *mid) | |||
| 1357 | case MID_RESPONSE_RECEIVED: | 1352 | case MID_RESPONSE_RECEIVED: |
| 1358 | credits_received = le16_to_cpu(buf->CreditRequest); | 1353 | credits_received = le16_to_cpu(buf->CreditRequest); |
| 1359 | /* result already set, check signature */ | 1354 | /* result already set, check signature */ |
| 1360 | if (server->sec_mode & | 1355 | if (server->sign) { |
| 1361 | (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) { | ||
| 1362 | int rc; | 1356 | int rc; |
| 1363 | 1357 | ||
| 1364 | rc = smb2_verify_signature(&rqst, server); | 1358 | rc = smb2_verify_signature(&rqst, server); |