2 files changed, 29 insertions, 95 deletions
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index ebd13358cca6..42fafa144f40 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -901,90 +901,14 @@ security_flags_write(struct file *file, const char __user *buffer,
        }
        /* flags look ok - update the global security flags for cifs module */
        extended_security = flags;
+        if (extended_security & CIFSSEC_MUST_SIGN) {
+                /* requiring signing implies signing is allowed */
+                extended_security |= CIFSSEC_MAY_SIGN;
+                cFYI(1, ("packet signing now required"));
+        } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
+                cFYI(1, ("packet signing disabled"));
+        }
+        /* BB should we turn on MAY flags for other MUST options? */
        return count;
 }
-/* static int
-ntlmv2_enabled_read(char *page, char **start, off_t off,
-                       int count, int *eof, void *data)
-{
-        int len;
-        len = sprintf(page, "%d\n", ntlmv2_support);
-        len -= off;
-        *start = page + off;
-        if (len > count)
-                len = count;
-        else
-                *eof = 1;
-        if (len < 0)
-                len = 0;
-        return len;
-}
-static int
-ntlmv2_enabled_write(struct file *file, const char __user *buffer,
-                        unsigned long count, void *data)
-{
-        char c;
-        int rc;
-        rc = get_user(c, buffer);
-        if (rc)
-                return rc;
-        if (c == '0' || c == 'n' || c == 'N')
-                ntlmv2_support = 0;
-        else if (c == '1' || c == 'y' || c == 'Y')
-                ntlmv2_support = 1;
-        else if (c == '2')
-                ntlmv2_support = 2;
-        return count;
-}
-static int
-packet_signing_enabled_read(char *page, char **start, off_t off,
-                       int count, int *eof, void *data)
-{
-        int len;
-        len = sprintf(page, "%d\n", sign_CIFS_PDUs);
-        len -= off;
-        *start = page + off;
-        if (len > count)
-                len = count;
-        else
-                *eof = 1;
-        if (len < 0)
-                len = 0;
-        return len;
-}
-static int
-packet_signing_enabled_write(struct file *file, const char __user *buffer,
-                        unsigned long count, void *data)
-{
-        char c;
-        int rc;
-        rc = get_user(c, buffer);
-        if (rc)
-                return rc;
-        if (c == '0' || c == 'n' || c == 'N')
-                sign_CIFS_PDUs = 0;
-        else if (c == '1' || c == 'y' || c == 'Y')
-                sign_CIFS_PDUs = 1;
-        else if (c == '2')
-                sign_CIFS_PDUs = 2;
-        return count;
-} */
 #endif
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 57419a176688..4a2458e78784 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -426,11 +426,11 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
        /* if any of auth flags (ie not sign or seal) are overriden use them */
        if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-                secFlags = ses->overrideSecFlg;
+                secFlags = ses->overrideSecFlg;  /* BB FIXME fix sign flags? */
        else /* if override flags set only sign/seal OR them with global auth */
                secFlags = extended_security | ses->overrideSecFlg;
-        cFYI(1,("secFlags 0x%x",secFlags));
+        cFYI(1, ("secFlags 0x%x", secFlags));
        pSMB->hdr.Mid = GetNextMid(server);
        pSMB->hdr.Flags2 |= (SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS);
@@ -633,22 +633,32 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
 signing_check:
 #endif
-        if(sign_CIFS_PDUs == FALSE) {        
+        if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
+                /* MUST_SIGN already includes the MAY_SIGN FLAG
+                   so if this is zero it means that signing is disabled */
+                cFYI(1, ("Signing disabled"));
                if(server->secMode & SECMODE_SIGN_REQUIRED)
-                        cERROR(1,("Server requires "
+                        cERROR(1, ("Server requires "
-                                 "/proc/fs/cifs/PacketSigningEnabled to be on"));
+                                   "/proc/fs/cifs/PacketSigningEnabled "
+                                   "to be on"));
                server->secMode &= 
                        ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
-        } else if(sign_CIFS_PDUs == 1) {
+        } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
+                /* signing required */
+                cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
+                if ((server->secMode &
+                        (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+                        cERROR(1,
+                                ("signing required but server lacks support"));
+                } else
+                        server->secMode |= SECMODE_SIGN_REQUIRED;
+        } else {
+                /* signing optional ie CIFSSEC_MAY_SIGN */
                if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
                        server->secMode &= 
                                ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
-        } else if(sign_CIFS_PDUs == 2) {
-                if((server->secMode & 
-                        (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
-                        cERROR(1,("signing required but server lacks support"));
-                }
        }
+        
 neg_err_exit:   
        cifs_buf_release(pSMB);

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index ebd13358cca6..42fafa144f40 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c
@@ -901,90 +901,14 @@ security_flags_write(struct file file, const char __user buffer,
901	}	901	}
902	/* flags look ok - update the global security flags for cifs module */	902	/* flags look ok - update the global security flags for cifs module */
903	extended_security = flags;	903	extended_security = flags;
		904	if (extended_security & CIFSSEC_MUST_SIGN) {
		905	/* requiring signing implies signing is allowed */
		906	extended_security \|= CIFSSEC_MAY_SIGN;
		907	cFYI(1, ("packet signing now required"));
		908	} else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
		909	cFYI(1, ("packet signing disabled"));
		910	}
		911	/* BB should we turn on MAY flags for other MUST options? */
904	return count;	912	return count;
905	}	913	}
906
907	/* static int
908	ntlmv2_enabled_read(char page, char *start, off_t off,
909	int count, int eof, void data)
910	{
911	int len;
912
913	len = sprintf(page, "%d\n", ntlmv2_support);
914
915	len -= off;
916	*start = page + off;
917
918	if (len > count)
919	len = count;
920	else
921	*eof = 1;
922
923	if (len < 0)
924	len = 0;
925
926	return len;
927	}
928	static int
929	ntlmv2_enabled_write(struct file file, const char __user buffer,
930	unsigned long count, void *data)
931	{
932	char c;
933	int rc;
934
935	rc = get_user(c, buffer);
936	if (rc)
937	return rc;
938	if (c == '0' \|\| c == 'n' \|\| c == 'N')
939	ntlmv2_support = 0;
940	else if (c == '1' \|\| c == 'y' \|\| c == 'Y')
941	ntlmv2_support = 1;
942	else if (c == '2')
943	ntlmv2_support = 2;
944
945	return count;
946	}
947
948	static int
949	packet_signing_enabled_read(char page, char *start, off_t off,
950	int count, int eof, void data)
951	{
952	int len;
953
954	len = sprintf(page, "%d\n", sign_CIFS_PDUs);
955
956	len -= off;
957	*start = page + off;
958
959	if (len > count)
960	len = count;
961	else
962	*eof = 1;
963
964	if (len < 0)
965	len = 0;
966
967	return len;
968	}
969	static int
970	packet_signing_enabled_write(struct file file, const char __user buffer,
971	unsigned long count, void *data)
972	{
973	char c;
974	int rc;
975
976	rc = get_user(c, buffer);
977	if (rc)
978	return rc;
979	if (c == '0' \|\| c == 'n' \|\| c == 'N')
980	sign_CIFS_PDUs = 0;
981	else if (c == '1' \|\| c == 'y' \|\| c == 'Y')
982	sign_CIFS_PDUs = 1;
983	else if (c == '2')
984	sign_CIFS_PDUs = 2;
985
986	return count;
987	} */
988
989
990	#endif	914	#endif


diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 57419a176688..4a2458e78784 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -426,11 +426,11 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
426		426
427	/* if any of auth flags (ie not sign or seal) are overriden use them */	427	/* if any of auth flags (ie not sign or seal) are overriden use them */
428	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN \| CIFSSEC_MUST_SEAL)))	428	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN \| CIFSSEC_MUST_SEAL)))
429	secFlags = ses->overrideSecFlg;	429	secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */
430	else /* if override flags set only sign/seal OR them with global auth */	430	else /* if override flags set only sign/seal OR them with global auth */
431	secFlags = extended_security \| ses->overrideSecFlg;	431	secFlags = extended_security \| ses->overrideSecFlg;
432		432
433	cFYI(1,("secFlags 0x%x",secFlags));	433	cFYI(1, ("secFlags 0x%x", secFlags));
434		434
435	pSMB->hdr.Mid = GetNextMid(server);	435	pSMB->hdr.Mid = GetNextMid(server);
436	pSMB->hdr.Flags2 \|= (SMBFLG2_UNICODE \| SMBFLG2_ERR_STATUS);	436	pSMB->hdr.Flags2 \|= (SMBFLG2_UNICODE \| SMBFLG2_ERR_STATUS);
@@ -633,22 +633,32 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
633	#ifdef CONFIG_CIFS_WEAK_PW_HASH	633	#ifdef CONFIG_CIFS_WEAK_PW_HASH
634	signing_check:	634	signing_check:
635	#endif	635	#endif
636	if(sign_CIFS_PDUs == FALSE) {	636	if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
		637	/* MUST_SIGN already includes the MAY_SIGN FLAG
		638	so if this is zero it means that signing is disabled */
		639	cFYI(1, ("Signing disabled"));
637	if(server->secMode & SECMODE_SIGN_REQUIRED)	640	if(server->secMode & SECMODE_SIGN_REQUIRED)
638	cERROR(1,("Server requires "	641	cERROR(1, ("Server requires "
639	"/proc/fs/cifs/PacketSigningEnabled to be on"));	642	"/proc/fs/cifs/PacketSigningEnabled "
		643	"to be on"));
640	server->secMode &=	644	server->secMode &=
641	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);	645	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);
642	} else if(sign_CIFS_PDUs == 1) {	646	} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
		647	/* signing required */
		648	cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
		649	if ((server->secMode &
		650	(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED)) == 0) {
		651	cERROR(1,
		652	("signing required but server lacks support"));
		653	} else
		654	server->secMode \|= SECMODE_SIGN_REQUIRED;
		655	} else {
		656	/* signing optional ie CIFSSEC_MAY_SIGN */
643	if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)	657	if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
644	server->secMode &=	658	server->secMode &=
645	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);	659	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);
646	} else if(sign_CIFS_PDUs == 2) {
647	if((server->secMode &
648	(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED)) == 0) {
649	cERROR(1,("signing required but server lacks support"));
650	}
651	}	660	}
		661
652	neg_err_exit:	662	neg_err_exit:
653	cifs_buf_release(pSMB);	663	cifs_buf_release(pSMB);
654		664