[CIFS] Fix sign mount option and sign proc config setting

We were checking the wrong (old) global variable to determine whether to override server and force signing on the SMB connection. Acked-by: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Steve French <sfrench@us.ibm.com> 2007-06-28 14:41:42 -0400
committer: Steve French <sfrench@us.ibm.com> 2007-06-28 14:41:42 -0400
commit: 762e5ab77c803c819e45d054518a98efb70b0f60 (patch)
tree: 09139edbbad69e50d13a26cb54d73adc5184bdc7 /fs
parent: 467a8f8d480190a98cec3e4362c51c2a27157115 (diff)
2 files changed, 29 insertions, 95 deletions
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index ebd13358cca6..42fafa144f40 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -901,90 +901,14 @@ security_flags_write(struct file *file, const char __user *buffer,
        }
        /* flags look ok - update the global security flags for cifs module */
        extended_security = flags;
+        if (extended_security & CIFSSEC_MUST_SIGN) {
+                /* requiring signing implies signing is allowed */
+                extended_security |= CIFSSEC_MAY_SIGN;
+                cFYI(1, ("packet signing now required"));
+        } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
+                cFYI(1, ("packet signing disabled"));
+        }
+        /* BB should we turn on MAY flags for other MUST options? */
        return count;
 }
-/* static int
-ntlmv2_enabled_read(char *page, char **start, off_t off,
-                       int count, int *eof, void *data)
-{
-        int len;
-        len = sprintf(page, "%d\n", ntlmv2_support);
-        len -= off;
-        *start = page + off;
-        if (len > count)
-                len = count;
-        else
-                *eof = 1;
-        if (len < 0)
-                len = 0;
-        return len;
-}
-static int
-ntlmv2_enabled_write(struct file *file, const char __user *buffer,
-                        unsigned long count, void *data)
-{
-        char c;
-        int rc;
-        rc = get_user(c, buffer);
-        if (rc)
-                return rc;
-        if (c == '0' || c == 'n' || c == 'N')
-                ntlmv2_support = 0;
-        else if (c == '1' || c == 'y' || c == 'Y')
-                ntlmv2_support = 1;
-        else if (c == '2')
-                ntlmv2_support = 2;
-        return count;
-}
-static int
-packet_signing_enabled_read(char *page, char **start, off_t off,
-                       int count, int *eof, void *data)
-{
-        int len;
-        len = sprintf(page, "%d\n", sign_CIFS_PDUs);
-        len -= off;
-        *start = page + off;
-        if (len > count)
-                len = count;
-        else
-                *eof = 1;
-        if (len < 0)
-                len = 0;
-        return len;
-}
-static int
-packet_signing_enabled_write(struct file *file, const char __user *buffer,
-                        unsigned long count, void *data)
-{
-        char c;
-        int rc;
-        rc = get_user(c, buffer);
-        if (rc)
-                return rc;
-        if (c == '0' || c == 'n' || c == 'N')
-                sign_CIFS_PDUs = 0;
-        else if (c == '1' || c == 'y' || c == 'Y')
-                sign_CIFS_PDUs = 1;
-        else if (c == '2')
-                sign_CIFS_PDUs = 2;
-        return count;
-} */
 #endif
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 57419a176688..4a2458e78784 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -426,11 +426,11 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
        /* if any of auth flags (ie not sign or seal) are overriden use them */
        if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-                secFlags = ses->overrideSecFlg;
+                secFlags = ses->overrideSecFlg;  /* BB FIXME fix sign flags? */
        else /* if override flags set only sign/seal OR them with global auth */
                secFlags = extended_security | ses->overrideSecFlg;
-        cFYI(1,("secFlags 0x%x",secFlags));
+        cFYI(1, ("secFlags 0x%x", secFlags));
        pSMB->hdr.Mid = GetNextMid(server);
        pSMB->hdr.Flags2 |= (SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS);
@@ -633,22 +633,32 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
 signing_check:
 #endif
-        if(sign_CIFS_PDUs == FALSE) {        
+        if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
+                /* MUST_SIGN already includes the MAY_SIGN FLAG
+                   so if this is zero it means that signing is disabled */
+                cFYI(1, ("Signing disabled"));
                if(server->secMode & SECMODE_SIGN_REQUIRED)
-                        cERROR(1,("Server requires "
+                        cERROR(1, ("Server requires "
-                                 "/proc/fs/cifs/PacketSigningEnabled to be on"));
+                                   "/proc/fs/cifs/PacketSigningEnabled "
+                                   "to be on"));
                server->secMode &= 
                        ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
-        } else if(sign_CIFS_PDUs == 1) {
+        } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
+                /* signing required */
+                cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
+                if ((server->secMode &
+                        (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+                        cERROR(1,
+                                ("signing required but server lacks support"));
+                } else
+                        server->secMode |= SECMODE_SIGN_REQUIRED;
+        } else {
+                /* signing optional ie CIFSSEC_MAY_SIGN */
                if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
                        server->secMode &= 
                                ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
-        } else if(sign_CIFS_PDUs == 2) {
-                if((server->secMode & 
-                        (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
-                        cERROR(1,("signing required but server lacks support"));
-                }
        }
+        
 neg_err_exit:   
        cifs_buf_release(pSMB);
author	Steve French <sfrench@us.ibm.com>	2007-06-28 14:41:42 -0400
committer	Steve French <sfrench@us.ibm.com>	2007-06-28 14:41:42 -0400
commit	762e5ab77c803c819e45d054518a98efb70b0f60 (patch)
tree	09139edbbad69e50d13a26cb54d73adc5184bdc7 /fs
parent	467a8f8d480190a98cec3e4362c51c2a27157115 (diff)

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index ebd13358cca6..42fafa144f40 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c
@@ -901,90 +901,14 @@ security_flags_write(struct file file, const char __user buffer,
901	}	901	}
902	/* flags look ok - update the global security flags for cifs module */	902	/* flags look ok - update the global security flags for cifs module */
903	extended_security = flags;	903	extended_security = flags;
		904	if (extended_security & CIFSSEC_MUST_SIGN) {
		905	/* requiring signing implies signing is allowed */
		906	extended_security \|= CIFSSEC_MAY_SIGN;
		907	cFYI(1, ("packet signing now required"));
		908	} else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
		909	cFYI(1, ("packet signing disabled"));
		910	}
		911	/* BB should we turn on MAY flags for other MUST options? */
904	return count;	912	return count;
905	}	913	}
906
907	/* static int
908	ntlmv2_enabled_read(char page, char *start, off_t off,
909	int count, int eof, void data)
910	{
911	int len;
912
913	len = sprintf(page, "%d\n", ntlmv2_support);
914
915	len -= off;
916	*start = page + off;
917
918	if (len > count)
919	len = count;
920	else
921	*eof = 1;
922
923	if (len < 0)
924	len = 0;
925
926	return len;
927	}
928	static int
929	ntlmv2_enabled_write(struct file file, const char __user buffer,
930	unsigned long count, void *data)
931	{
932	char c;
933	int rc;
934
935	rc = get_user(c, buffer);
936	if (rc)
937	return rc;
938	if (c == '0' \|\| c == 'n' \|\| c == 'N')
939	ntlmv2_support = 0;
940	else if (c == '1' \|\| c == 'y' \|\| c == 'Y')
941	ntlmv2_support = 1;
942	else if (c == '2')
943	ntlmv2_support = 2;
944
945	return count;
946	}
947
948	static int
949	packet_signing_enabled_read(char page, char *start, off_t off,
950	int count, int eof, void data)
951	{
952	int len;
953
954	len = sprintf(page, "%d\n", sign_CIFS_PDUs);
955
956	len -= off;
957	*start = page + off;
958
959	if (len > count)
960	len = count;
961	else
962	*eof = 1;
963
964	if (len < 0)
965	len = 0;
966
967	return len;
968	}
969	static int
970	packet_signing_enabled_write(struct file file, const char __user buffer,
971	unsigned long count, void *data)
972	{
973	char c;
974	int rc;
975
976	rc = get_user(c, buffer);
977	if (rc)
978	return rc;
979	if (c == '0' \|\| c == 'n' \|\| c == 'N')
980	sign_CIFS_PDUs = 0;
981	else if (c == '1' \|\| c == 'y' \|\| c == 'Y')
982	sign_CIFS_PDUs = 1;
983	else if (c == '2')
984	sign_CIFS_PDUs = 2;
985
986	return count;
987	} */
988
989
990	#endif	914	#endif


diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 57419a176688..4a2458e78784 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -426,11 +426,11 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
426		426
427	/* if any of auth flags (ie not sign or seal) are overriden use them */	427	/* if any of auth flags (ie not sign or seal) are overriden use them */
428	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN \| CIFSSEC_MUST_SEAL)))	428	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN \| CIFSSEC_MUST_SEAL)))
429	secFlags = ses->overrideSecFlg;	429	secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */
430	else /* if override flags set only sign/seal OR them with global auth */	430	else /* if override flags set only sign/seal OR them with global auth */
431	secFlags = extended_security \| ses->overrideSecFlg;	431	secFlags = extended_security \| ses->overrideSecFlg;
432		432
433	cFYI(1,("secFlags 0x%x",secFlags));	433	cFYI(1, ("secFlags 0x%x", secFlags));
434		434
435	pSMB->hdr.Mid = GetNextMid(server);	435	pSMB->hdr.Mid = GetNextMid(server);
436	pSMB->hdr.Flags2 \|= (SMBFLG2_UNICODE \| SMBFLG2_ERR_STATUS);	436	pSMB->hdr.Flags2 \|= (SMBFLG2_UNICODE \| SMBFLG2_ERR_STATUS);
@@ -633,22 +633,32 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
633	#ifdef CONFIG_CIFS_WEAK_PW_HASH	633	#ifdef CONFIG_CIFS_WEAK_PW_HASH
634	signing_check:	634	signing_check:
635	#endif	635	#endif
636	if(sign_CIFS_PDUs == FALSE) {	636	if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
		637	/* MUST_SIGN already includes the MAY_SIGN FLAG
		638	so if this is zero it means that signing is disabled */
		639	cFYI(1, ("Signing disabled"));
637	if(server->secMode & SECMODE_SIGN_REQUIRED)	640	if(server->secMode & SECMODE_SIGN_REQUIRED)
638	cERROR(1,("Server requires "	641	cERROR(1, ("Server requires "
639	"/proc/fs/cifs/PacketSigningEnabled to be on"));	642	"/proc/fs/cifs/PacketSigningEnabled "
		643	"to be on"));
640	server->secMode &=	644	server->secMode &=
641	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);	645	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);
642	} else if(sign_CIFS_PDUs == 1) {	646	} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
		647	/* signing required */
		648	cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
		649	if ((server->secMode &
		650	(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED)) == 0) {
		651	cERROR(1,
		652	("signing required but server lacks support"));
		653	} else
		654	server->secMode \|= SECMODE_SIGN_REQUIRED;
		655	} else {
		656	/* signing optional ie CIFSSEC_MAY_SIGN */
643	if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)	657	if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
644	server->secMode &=	658	server->secMode &=
645	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);	659	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);
646	} else if(sign_CIFS_PDUs == 2) {
647	if((server->secMode &
648	(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED)) == 0) {
649	cERROR(1,("signing required but server lacks support"));
650	}
651	}	660	}
		661
652	neg_err_exit:	662	neg_err_exit:
653	cifs_buf_release(pSMB);	663	cifs_buf_release(pSMB);
654		664