10 files changed, 71 insertions, 82 deletions
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 2f3a89a2c497..49020ae460cf 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -511,6 +511,7 @@ struct TCP_Server_Info {
        struct task_struct *tsk;
        char server_GUID[16];
        __u16 sec_mode;
+        bool sign; /* is signing enabled on this connection? */
        bool session_estab; /* mark when very first sess is established */
 #ifdef CONFIG_CIFS_SMB2
        int echo_credits;  /* echo reserved slots */
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index f0e93ffe654c..ede010fd046a 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -212,7 +212,7 @@ extern int cifs_negotiate_protocol(const unsigned int xid,
                                   struct cifs_ses *ses);
 extern int cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
                              struct nls_table *nls_info);
-extern int cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags);
+extern int cifs_enable_signing(struct TCP_Server_Info *server, bool mnt_sign_required);
 extern int CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses);
 extern int CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 80ca6886a816..dd7e2f61f607 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -418,32 +418,43 @@ decode_ext_sec_blob(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr)
 }
 int
-cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags)
+cifs_enable_signing(struct TCP_Server_Info *server, bool mnt_sign_required)
 {
-        if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
+        bool srv_sign_required = server->sec_mode & SECMODE_SIGN_REQUIRED;
-                /* MUST_SIGN already includes the MAY_SIGN FLAG
+        bool srv_sign_enabled = server->sec_mode & SECMODE_SIGN_ENABLED;
-                   so if this is zero it means that signing is disabled */
+        bool mnt_sign_enabled = global_secflags & CIFSSEC_MAY_SIGN;
-                cifs_dbg(FYI, "Signing disabled\n");
-                if (server->sec_mode & SECMODE_SIGN_REQUIRED) {
+        /*
-                        cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");
+         * Is signing required by mnt options? If not then check
-                        return -EOPNOTSUPP;
+         * global_secflags to see if it is there.
+         */
+        if (!mnt_sign_required)
+                mnt_sign_required = ((global_secflags & CIFSSEC_MUST_SIGN) ==
+                                                CIFSSEC_MUST_SIGN);
+        /*
+         * If signing is required then it's automatically enabled too,
+         * otherwise, check to see if the secflags allow it.
+         */
+        mnt_sign_enabled = mnt_sign_required ? mnt_sign_required :
+                                (global_secflags & CIFSSEC_MAY_SIGN);
+        /* If server requires signing, does client allow it? */
+        if (srv_sign_required) {
+                if (!mnt_sign_enabled) {
+                        cifs_dbg(VFS, "Server requires signing, but it's disabled in SecurityFlags!");
+                        return -ENOTSUPP;
                }
-                server->sec_mode &=
+                server->sign = true;
-                        ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
+        }
-        } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
-                /* signing required */
+        /* If client requires signing, does server allow it? */
-                cifs_dbg(FYI, "Must sign - secFlags 0x%x\n", secFlags);
+        if (mnt_sign_required) {
-                if ((server->sec_mode &
+                if (!srv_sign_enabled) {
-                        (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+                        cifs_dbg(VFS, "Server does not support signing!");
-                        cifs_dbg(VFS, "signing required but server lacks support\n");
+                        return -ENOTSUPP;
-                        return -EOPNOTSUPP;
+                }
-                } else
+                server->sign = true;
-                        server->sec_mode |= SECMODE_SIGN_REQUIRED;
-        } else {
-                /* signing optional ie CIFSSEC_MAY_SIGN */
-                if ((server->sec_mode & SECMODE_SIGN_REQUIRED) == 0)
-                        server->sec_mode &=
-                                ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
        }
        return 0;
@@ -685,7 +696,7 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
 signing_check:
        if (!rc)
-                rc = cifs_enable_signing(server, secFlags);
+                rc = cifs_enable_signing(server, ses->sign);
 neg_err_exit:
        cifs_buf_release(pSMB);
@@ -810,9 +821,8 @@ CIFSSMBLogoff(const unsigned int xid, struct cifs_ses *ses)
        pSMB->hdr.Mid = get_next_mid(ses->server);
-        if (ses->server->sec_mode &
+        if (ses->server->sign)
-                   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
+                pSMB->hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
-                        pSMB->hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
        pSMB->hdr.Uid = ses->Suid;
@@ -1573,8 +1583,7 @@ cifs_readv_callback(struct mid_q_entry *mid)
        switch (mid->mid_state) {
        case MID_RESPONSE_RECEIVED:
                /* result already set, check signature */
-                if (server->sec_mode &
+                if (server->sign) {
-                    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
                        int rc = 0;
                        rc = cifs_verify_signature(&rqst, server,
@@ -4827,11 +4836,8 @@ getDFSRetry:
                strncpy(pSMB->RequestFileName, search_name, name_len);
        }
-        if (ses->server) {
+        if (ses->server && ses->server->sign)
-                if (ses->server->sec_mode &
+                pSMB->hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
-                   (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
-                        pSMB->hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
-        }
        pSMB->hdr.Uid = ses->Suid;
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index f638b5e1a2d2..acbb255352af 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2037,13 +2037,8 @@ match_security(struct TCP_Server_Info *server, struct smb_vol *vol)
        }
        /* now check if signing mode is acceptable */
-        if ((secFlags & CIFSSEC_MAY_SIGN) == 0 &&
+        if (vol->sign && !server->sign)
-            (server->sec_mode & SECMODE_SIGN_REQUIRED))
+                return false;
-                        return false;
-        else if (((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) &&
-                 (server->sec_mode &
-                  (SECMODE_SIGN_ENABLED|SECMODE_SIGN_REQUIRED)) == 0)
-                        return false;
        return true;
 }
@@ -3704,8 +3699,7 @@ CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
                }
        }
-        if (ses->server->sec_mode &
+        if (ses->server->sign)
-                        (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
                smb_buffer->Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
        if (ses->capabilities & CAP_STATUS32) {
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index 1bec014779fd..f7d4b2285efe 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -267,8 +267,7 @@ header_assemble(struct smb_hdr *buffer, char smb_command /* command */ ,
                if (treeCon->nocase)
                        buffer->Flags  |= SMBFLG_CASELESS;
                if ((treeCon->ses) && (treeCon->ses->server))
-                        if (treeCon->ses->server->sec_mode &
+                        if (treeCon->ses->server->sign)
-                          (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
                                buffer->Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
        }
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 0d0fe38f66a2..82b784a62c16 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -138,8 +138,7 @@ static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, SESSION_SETUP_ANDX *pSMB)
        capabilities = CAP_LARGE_FILES | CAP_NT_SMBS | CAP_LEVEL_II_OPLOCKS |
                        CAP_LARGE_WRITE_X | CAP_LARGE_READ_X;
-        if (ses->server->sec_mode &
+        if (ses->server->sign)
-            (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
                pSMB->req.hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
        if (ses->capabilities & CAP_UNICODE) {
@@ -427,8 +426,7 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
        flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-        if (ses->server->sec_mode &
+        if (ses->server->sign) {
-                        (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
                flags |= NTLMSSP_NEGOTIATE_SIGN;
                if (!ses->server->session_estab)
                        flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
@@ -466,8 +464,7 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer,
                NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-        if (ses->server->sec_mode &
+        if (ses->server->sign) {
-           (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
                flags |= NTLMSSP_NEGOTIATE_SIGN;
                if (!ses->server->session_estab)
                        flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
index 7d1c78bce4ae..b28aabd33edd 100644
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -449,8 +449,7 @@ cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info)
         * WRITEX header, not including the 4 byte RFC1001 length.
         */
        if (!(server->capabilities & CAP_LARGE_WRITE_X) ||
-            (!(server->capabilities & CAP_UNIX) &&
+            (!(server->capabilities & CAP_UNIX) && server->sign))
-             (server->sec_mode & (SECMODE_SIGN_ENABLED|SECMODE_SIGN_REQUIRED))))
                wsize = min_t(unsigned int, wsize,
                                server->maxBuf - sizeof(WRITE_REQ) + 4);
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 1609699e7bec..ad8ef10de0bd 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -119,8 +119,7 @@ smb2_hdr_assemble(struct smb2_hdr *hdr, __le16 smb2_cmd /* command */ ,
        /* BB how does SMB2 do case sensitive? */
        /* if (tcon->nocase)
                hdr->Flags |= SMBFLG_CASELESS; */
-        if (tcon->ses && tcon->ses->server &&
+        if (tcon->ses && tcon->ses->server && tcon->ses->server->sign)
-            (tcon->ses->server->sec_mode & SECMODE_SIGN_REQUIRED))
                hdr->Flags |= SMB2_FLAGS_SIGNED;
 out:
        pdu->StructureSize2 = cpu_to_le16(parmsize);
@@ -330,7 +329,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
        int resp_buftype;
        struct TCP_Server_Info *server = ses->server;
        unsigned int sec_flags;
-        u16 temp = 0;
        int blob_offset, blob_length;
        char *security_blob;
        int flags = CIFS_NEG_OP;
@@ -362,12 +360,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
        inc_rfc1001_len(req, 2);
        /* only one of SMB2 signing flags may be set in SMB2 request */
-        if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN)
+        if (ses->sign)
-                temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;
+                req->SecurityMode = SMB2_NEGOTIATE_SIGNING_REQUIRED;
-        else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */
+        else if (global_secflags & CIFSSEC_MAY_SIGN)
-                temp = SMB2_NEGOTIATE_SIGNING_ENABLED;
+                req->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED;
+        else
-        req->SecurityMode = cpu_to_le16(temp);
+                req->SecurityMode = 0;
        req->Capabilities = cpu_to_le32(ses->server->vals->req_capabilities);
@@ -424,8 +422,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
                goto neg_exit;
        }
-        cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);
+        rc = cifs_enable_signing(server, ses->sign);
-        rc = cifs_enable_signing(server, sec_flags);
 #ifdef CONFIG_SMB2_ASN1  /* BB REMOVEME when updated asn1.c ready */
        if (rc)
                goto neg_exit;
@@ -457,7 +454,6 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
        __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
        struct TCP_Server_Info *server = ses->server;
        unsigned int sec_flags;
-        u8 temp = 0;
        u16 blob_length = 0;
        char *security_blob;
        char *ntlmssp_blob = NULL;
@@ -502,14 +498,13 @@ ssetup_ntlmssp_authenticate:
        req->hdr.CreditRequest = cpu_to_le16(3);
        /* only one of SMB2 signing flags may be set in SMB2 request */
-        if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN)
+        if (server->sign)
-                temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;
+                req->SecurityMode = SMB2_NEGOTIATE_SIGNING_REQUIRED;
-        else if (ses->server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)
+        else if (global_secflags & CIFSSEC_MAY_SIGN) /* one flag unlike MUST_ */
-                temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;
+                req->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-        else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */
+        else
-                temp = SMB2_NEGOTIATE_SIGNING_ENABLED;
+                req->SecurityMode = 0;
-        req->SecurityMode = temp;
        req->Capabilities = 0;
        req->Channel = 0; /* MBZ */
@@ -652,7 +647,7 @@ SMB2_logoff(const unsigned int xid, struct cifs_ses *ses)
         /* since no tcon, smb2_init can not do this, so do here */
        req->hdr.SessionId = ses->Suid;
-        if (server->sec_mode & SECMODE_SIGN_REQUIRED)
+        if (server->sign)
                req->hdr.Flags |= SMB2_FLAGS_SIGNED;
        rc = SendReceiveNoRsp(xid, ses, (char *) &req->hdr, 0);
@@ -1357,8 +1352,7 @@ smb2_readv_callback(struct mid_q_entry *mid)
        case MID_RESPONSE_RECEIVED:
                credits_received = le16_to_cpu(buf->CreditRequest);
                /* result already set, check signature */
-                if (server->sec_mode &
+                if (server->sign) {
-                    (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
                        int rc;
                        rc = smb2_verify_signature(&rqst, server);
diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c
index 01f0ac800780..c802ecfa770e 100644
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -275,8 +275,7 @@ smb2_check_receive(struct mid_q_entry *mid, struct TCP_Server_Info *server,
        dump_smb(mid->resp_buf, min_t(u32, 80, len));
        /* convert the length into a more usable form */
-        if ((len > 24) &&
+        if (len > 24 && server->sign) {
-            (server->sec_mode & (SECMODE_SIGN_REQUIRED|SECMODE_SIGN_ENABLED))) {
                int rc;
                rc = smb2_verify_signature(&rqst, server);
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index bfbf4700d160..1996d6ceb833 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -463,7 +463,7 @@ cifs_setup_async_request(struct TCP_Server_Info *server, struct smb_rqst *rqst)
        struct mid_q_entry *mid;
        /* enable signing if server requires it */
-        if (server->sec_mode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
+        if (server->sign)
                hdr->Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
        mid = AllocMidQEntry(hdr, server);
@@ -612,7 +612,7 @@ cifs_check_receive(struct mid_q_entry *mid, struct TCP_Server_Info *server,
        dump_smb(mid->resp_buf, min_t(u32, 92, len));
        /* convert the length into a more usable form */
-        if (server->sec_mode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
+        if (server->sign) {
                struct kvec iov;
                int rc = 0;
                struct smb_rqst rqst = { .rq_iov = &iov,

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 2f3a89a2c497..49020ae460cf 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h
@@ -511,6 +511,7 @@ struct TCP_Server_Info {
511	struct task_struct *tsk;	511	struct task_struct *tsk;
512	char server_GUID[16];	512	char server_GUID[16];
513	__u16 sec_mode;	513	__u16 sec_mode;
		514	bool sign; /* is signing enabled on this connection? */
514	bool session_estab; /* mark when very first sess is established */	515	bool session_estab; /* mark when very first sess is established */
515	#ifdef CONFIG_CIFS_SMB2	516	#ifdef CONFIG_CIFS_SMB2
516	int echo_credits; /* echo reserved slots */	517	int echo_credits; /* echo reserved slots */


diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h index f0e93ffe654c..ede010fd046a 100644 --- a/fs/cifs/cifsproto.h +++ b/fs/cifs/cifsproto.h
@@ -212,7 +212,7 @@ extern int cifs_negotiate_protocol(const unsigned int xid,
212	struct cifs_ses *ses);	212	struct cifs_ses *ses);
213	extern int cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,	213	extern int cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
214	struct nls_table *nls_info);	214	struct nls_table *nls_info);
215	extern int cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags);	215	extern int cifs_enable_signing(struct TCP_Server_Info *server, bool mnt_sign_required);
216	extern int CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses);	216	extern int CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses);
217		217
218	extern int CIFSTCon(const unsigned int xid, struct cifs_ses *ses,	218	extern int CIFSTCon(const unsigned int xid, struct cifs_ses *ses,


diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 80ca6886a816..dd7e2f61f607 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -418,32 +418,43 @@ decode_ext_sec_blob(struct TCP_Server_Info server, NEGOTIATE_RSP pSMBr)
418	}	418	}
419		419
420	int	420	int
421	cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags)	421	cifs_enable_signing(struct TCP_Server_Info *server, bool mnt_sign_required)
422	{	422	{
423	if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {	423	bool srv_sign_required = server->sec_mode & SECMODE_SIGN_REQUIRED;
424	/* MUST_SIGN already includes the MAY_SIGN FLAG	424	bool srv_sign_enabled = server->sec_mode & SECMODE_SIGN_ENABLED;
425	so if this is zero it means that signing is disabled */	425	bool mnt_sign_enabled = global_secflags & CIFSSEC_MAY_SIGN;
426	cifs_dbg(FYI, "Signing disabled\n");	426
427	if (server->sec_mode & SECMODE_SIGN_REQUIRED) {	427	/*
428	cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");	428	* Is signing required by mnt options? If not then check
429	return -EOPNOTSUPP;	429	* global_secflags to see if it is there.
		430	*/
		431	if (!mnt_sign_required)
		432	mnt_sign_required = ((global_secflags & CIFSSEC_MUST_SIGN) ==
		433	CIFSSEC_MUST_SIGN);
		434
		435	/*
		436	* If signing is required then it's automatically enabled too,
		437	* otherwise, check to see if the secflags allow it.
		438	*/
		439	mnt_sign_enabled = mnt_sign_required ? mnt_sign_required :
		440	(global_secflags & CIFSSEC_MAY_SIGN);
		441
		442	/* If server requires signing, does client allow it? */
		443	if (srv_sign_required) {
		444	if (!mnt_sign_enabled) {
		445	cifs_dbg(VFS, "Server requires signing, but it's disabled in SecurityFlags!");
		446	return -ENOTSUPP;
430	}	447	}
431	server->sec_mode &=	448	server->sign = true;
432	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);	449	}
433	} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {	450
434	/* signing required */	451	/* If client requires signing, does server allow it? */
435	cifs_dbg(FYI, "Must sign - secFlags 0x%x\n", secFlags);	452	if (mnt_sign_required) {
436	if ((server->sec_mode &	453	if (!srv_sign_enabled) {
437	(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED)) == 0) {	454	cifs_dbg(VFS, "Server does not support signing!");
438	cifs_dbg(VFS, "signing required but server lacks support\n");	455	return -ENOTSUPP;
439	return -EOPNOTSUPP;	456	}
440	} else	457	server->sign = true;
441	server->sec_mode \|= SECMODE_SIGN_REQUIRED;
442	} else {
443	/* signing optional ie CIFSSEC_MAY_SIGN */
444	if ((server->sec_mode & SECMODE_SIGN_REQUIRED) == 0)
445	server->sec_mode &=
446	~(SECMODE_SIGN_ENABLED \| SECMODE_SIGN_REQUIRED);
447	}	458	}
448		459
449	return 0;	460	return 0;
@@ -685,7 +696,7 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
685		696
686	signing_check:	697	signing_check:
687	if (!rc)	698	if (!rc)
688	rc = cifs_enable_signing(server, secFlags);	699	rc = cifs_enable_signing(server, ses->sign);
689	neg_err_exit:	700	neg_err_exit:
690	cifs_buf_release(pSMB);	701	cifs_buf_release(pSMB);
691		702
@@ -810,9 +821,8 @@ CIFSSMBLogoff(const unsigned int xid, struct cifs_ses *ses)
810		821
811	pSMB->hdr.Mid = get_next_mid(ses->server);	822	pSMB->hdr.Mid = get_next_mid(ses->server);
812		823
813	if (ses->server->sec_mode &	824	if (ses->server->sign)
814	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))	825	pSMB->hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
815	pSMB->hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
816		826
817	pSMB->hdr.Uid = ses->Suid;	827	pSMB->hdr.Uid = ses->Suid;
818		828
@@ -1573,8 +1583,7 @@ cifs_readv_callback(struct mid_q_entry *mid)
1573	switch (mid->mid_state) {	1583	switch (mid->mid_state) {
1574	case MID_RESPONSE_RECEIVED:	1584	case MID_RESPONSE_RECEIVED:
1575	/* result already set, check signature */	1585	/* result already set, check signature */
1576	if (server->sec_mode &	1586	if (server->sign) {
1577	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED)) {
1578	int rc = 0;	1587	int rc = 0;
1579		1588
1580	rc = cifs_verify_signature(&rqst, server,	1589	rc = cifs_verify_signature(&rqst, server,
@@ -4827,11 +4836,8 @@ getDFSRetry:
4827	strncpy(pSMB->RequestFileName, search_name, name_len);	4836	strncpy(pSMB->RequestFileName, search_name, name_len);
4828	}	4837	}
4829		4838
4830	if (ses->server) {	4839	if (ses->server && ses->server->sign)
4831	if (ses->server->sec_mode &	4840	pSMB->hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
4832	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
4833	pSMB->hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
4834	}
4835		4841
4836	pSMB->hdr.Uid = ses->Suid;	4842	pSMB->hdr.Uid = ses->Suid;
4837		4843


diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index f638b5e1a2d2..acbb255352af 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -2037,13 +2037,8 @@ match_security(struct TCP_Server_Info server, struct smb_vol vol)
2037	}	2037	}
2038		2038
2039	/* now check if signing mode is acceptable */	2039	/* now check if signing mode is acceptable */
2040	if ((secFlags & CIFSSEC_MAY_SIGN) == 0 &&	2040	if (vol->sign && !server->sign)
2041	(server->sec_mode & SECMODE_SIGN_REQUIRED))	2041	return false;
2042	return false;
2043	else if (((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) &&
2044	(server->sec_mode &
2045	(SECMODE_SIGN_ENABLED\|SECMODE_SIGN_REQUIRED)) == 0)
2046	return false;
2047		2042
2048	return true;	2043	return true;
2049	}	2044	}
@@ -3704,8 +3699,7 @@ CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
3704	}	3699	}
3705	}	3700	}
3706		3701
3707	if (ses->server->sec_mode &	3702	if (ses->server->sign)
3708	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
3709	smb_buffer->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;	3703	smb_buffer->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
3710		3704
3711	if (ses->capabilities & CAP_STATUS32) {	3705	if (ses->capabilities & CAP_STATUS32) {


diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index 1bec014779fd..f7d4b2285efe 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c
@@ -267,8 +267,7 @@ header_assemble(struct smb_hdr buffer, char smb_command / command */ ,
267	if (treeCon->nocase)	267	if (treeCon->nocase)
268	buffer->Flags \|= SMBFLG_CASELESS;	268	buffer->Flags \|= SMBFLG_CASELESS;
269	if ((treeCon->ses) && (treeCon->ses->server))	269	if ((treeCon->ses) && (treeCon->ses->server))
270	if (treeCon->ses->server->sec_mode &	270	if (treeCon->ses->server->sign)
271	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
272	buffer->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;	271	buffer->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
273	}	272	}
274		273


diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 0d0fe38f66a2..82b784a62c16 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c
@@ -138,8 +138,7 @@ static __u32 cifs_ssetup_hdr(struct cifs_ses ses, SESSION_SETUP_ANDX pSMB)
138	capabilities = CAP_LARGE_FILES \| CAP_NT_SMBS \| CAP_LEVEL_II_OPLOCKS \|	138	capabilities = CAP_LARGE_FILES \| CAP_NT_SMBS \| CAP_LEVEL_II_OPLOCKS \|
139	CAP_LARGE_WRITE_X \| CAP_LARGE_READ_X;	139	CAP_LARGE_WRITE_X \| CAP_LARGE_READ_X;
140		140
141	if (ses->server->sec_mode &	141	if (ses->server->sign)
142	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
143	pSMB->req.hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;	142	pSMB->req.hdr.Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
144		143
145	if (ses->capabilities & CAP_UNICODE) {	144	if (ses->capabilities & CAP_UNICODE) {
@@ -427,8 +426,7 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
427	flags = NTLMSSP_NEGOTIATE_56 \| NTLMSSP_REQUEST_TARGET \|	426	flags = NTLMSSP_NEGOTIATE_56 \| NTLMSSP_REQUEST_TARGET \|
428	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|	427	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|
429	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_EXTENDED_SEC;	428	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_EXTENDED_SEC;
430	if (ses->server->sec_mode &	429	if (ses->server->sign) {
431	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED)) {
432	flags \|= NTLMSSP_NEGOTIATE_SIGN;	430	flags \|= NTLMSSP_NEGOTIATE_SIGN;
433	if (!ses->server->session_estab)	431	if (!ses->server->session_estab)
434	flags \|= NTLMSSP_NEGOTIATE_KEY_XCH;	432	flags \|= NTLMSSP_NEGOTIATE_KEY_XCH;
@@ -466,8 +464,7 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer,
466	NTLMSSP_REQUEST_TARGET \| NTLMSSP_NEGOTIATE_TARGET_INFO \|	464	NTLMSSP_REQUEST_TARGET \| NTLMSSP_NEGOTIATE_TARGET_INFO \|
467	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|	465	NTLMSSP_NEGOTIATE_128 \| NTLMSSP_NEGOTIATE_UNICODE \|
468	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_EXTENDED_SEC;	466	NTLMSSP_NEGOTIATE_NTLM \| NTLMSSP_NEGOTIATE_EXTENDED_SEC;
469	if (ses->server->sec_mode &	467	if (ses->server->sign) {
470	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED)) {
471	flags \|= NTLMSSP_NEGOTIATE_SIGN;	468	flags \|= NTLMSSP_NEGOTIATE_SIGN;
472	if (!ses->server->session_estab)	469	if (!ses->server->session_estab)
473	flags \|= NTLMSSP_NEGOTIATE_KEY_XCH;	470	flags \|= NTLMSSP_NEGOTIATE_KEY_XCH;


diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c index 7d1c78bce4ae..b28aabd33edd 100644 --- a/fs/cifs/smb1ops.c +++ b/fs/cifs/smb1ops.c
@@ -449,8 +449,7 @@ cifs_negotiate_wsize(struct cifs_tcon tcon, struct smb_vol volume_info)
449	* WRITEX header, not including the 4 byte RFC1001 length.	449	* WRITEX header, not including the 4 byte RFC1001 length.
450	*/	450	*/
451	if (!(server->capabilities & CAP_LARGE_WRITE_X) \|\|	451	if (!(server->capabilities & CAP_LARGE_WRITE_X) \|\|
452	(!(server->capabilities & CAP_UNIX) &&	452	(!(server->capabilities & CAP_UNIX) && server->sign))
453	(server->sec_mode & (SECMODE_SIGN_ENABLED\|SECMODE_SIGN_REQUIRED))))
454	wsize = min_t(unsigned int, wsize,	453	wsize = min_t(unsigned int, wsize,
455	server->maxBuf - sizeof(WRITE_REQ) + 4);	454	server->maxBuf - sizeof(WRITE_REQ) + 4);
456		455


diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 1609699e7bec..ad8ef10de0bd 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c
@@ -119,8 +119,7 @@ smb2_hdr_assemble(struct smb2_hdr hdr, __le16 smb2_cmd / command */ ,
119	/* BB how does SMB2 do case sensitive? */	119	/* BB how does SMB2 do case sensitive? */
120	/* if (tcon->nocase)	120	/* if (tcon->nocase)
121	hdr->Flags \|= SMBFLG_CASELESS; */	121	hdr->Flags \|= SMBFLG_CASELESS; */
122	if (tcon->ses && tcon->ses->server &&	122	if (tcon->ses && tcon->ses->server && tcon->ses->server->sign)
123	(tcon->ses->server->sec_mode & SECMODE_SIGN_REQUIRED))
124	hdr->Flags \|= SMB2_FLAGS_SIGNED;	123	hdr->Flags \|= SMB2_FLAGS_SIGNED;
125	out:	124	out:
126	pdu->StructureSize2 = cpu_to_le16(parmsize);	125	pdu->StructureSize2 = cpu_to_le16(parmsize);
@@ -330,7 +329,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
330	int resp_buftype;	329	int resp_buftype;
331	struct TCP_Server_Info *server = ses->server;	330	struct TCP_Server_Info *server = ses->server;
332	unsigned int sec_flags;	331	unsigned int sec_flags;
333	u16 temp = 0;
334	int blob_offset, blob_length;	332	int blob_offset, blob_length;
335	char *security_blob;	333	char *security_blob;
336	int flags = CIFS_NEG_OP;	334	int flags = CIFS_NEG_OP;
@@ -362,12 +360,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
362	inc_rfc1001_len(req, 2);	360	inc_rfc1001_len(req, 2);
363		361
364	/* only one of SMB2 signing flags may be set in SMB2 request */	362	/* only one of SMB2 signing flags may be set in SMB2 request */
365	if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN)	363	if (ses->sign)
366	temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;	364	req->SecurityMode = SMB2_NEGOTIATE_SIGNING_REQUIRED;
367	else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */	365	else if (global_secflags & CIFSSEC_MAY_SIGN)
368	temp = SMB2_NEGOTIATE_SIGNING_ENABLED;	366	req->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED;
369		367	else
370	req->SecurityMode = cpu_to_le16(temp);	368	req->SecurityMode = 0;
371		369
372	req->Capabilities = cpu_to_le32(ses->server->vals->req_capabilities);	370	req->Capabilities = cpu_to_le32(ses->server->vals->req_capabilities);
373		371
@@ -424,8 +422,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
424	goto neg_exit;	422	goto neg_exit;
425	}	423	}
426		424
427	cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);	425	rc = cifs_enable_signing(server, ses->sign);
428	rc = cifs_enable_signing(server, sec_flags);
429	#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */	426	#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */
430	if (rc)	427	if (rc)
431	goto neg_exit;	428	goto neg_exit;
@@ -457,7 +454,6 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
457	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */	454	__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
458	struct TCP_Server_Info *server = ses->server;	455	struct TCP_Server_Info *server = ses->server;
459	unsigned int sec_flags;	456	unsigned int sec_flags;
460	u8 temp = 0;
461	u16 blob_length = 0;	457	u16 blob_length = 0;
462	char *security_blob;	458	char *security_blob;
463	char *ntlmssp_blob = NULL;	459	char *ntlmssp_blob = NULL;
@@ -502,14 +498,13 @@ ssetup_ntlmssp_authenticate:
502	req->hdr.CreditRequest = cpu_to_le16(3);	498	req->hdr.CreditRequest = cpu_to_le16(3);
503		499
504	/* only one of SMB2 signing flags may be set in SMB2 request */	500	/* only one of SMB2 signing flags may be set in SMB2 request */
505	if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN)	501	if (server->sign)
506	temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;	502	req->SecurityMode = SMB2_NEGOTIATE_SIGNING_REQUIRED;
507	else if (ses->server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)	503	else if (global_secflags & CIFSSEC_MAY_SIGN) /* one flag unlike MUST_ */
508	temp = SMB2_NEGOTIATE_SIGNING_REQUIRED;	504	req->SecurityMode = SMB2_NEGOTIATE_SIGNING_ENABLED;
509	else if (sec_flags & CIFSSEC_MAY_SIGN) /* MAY_SIGN is a single flag */	505	else
510	temp = SMB2_NEGOTIATE_SIGNING_ENABLED;	506	req->SecurityMode = 0;
511		507
512	req->SecurityMode = temp;
513	req->Capabilities = 0;	508	req->Capabilities = 0;
514	req->Channel = 0; /* MBZ */	509	req->Channel = 0; /* MBZ */
515		510
@@ -652,7 +647,7 @@ SMB2_logoff(const unsigned int xid, struct cifs_ses *ses)
652		647
653	/* since no tcon, smb2_init can not do this, so do here */	648	/* since no tcon, smb2_init can not do this, so do here */
654	req->hdr.SessionId = ses->Suid;	649	req->hdr.SessionId = ses->Suid;
655	if (server->sec_mode & SECMODE_SIGN_REQUIRED)	650	if (server->sign)
656	req->hdr.Flags \|= SMB2_FLAGS_SIGNED;	651	req->hdr.Flags \|= SMB2_FLAGS_SIGNED;
657		652
658	rc = SendReceiveNoRsp(xid, ses, (char *) &req->hdr, 0);	653	rc = SendReceiveNoRsp(xid, ses, (char *) &req->hdr, 0);
@@ -1357,8 +1352,7 @@ smb2_readv_callback(struct mid_q_entry *mid)
1357	case MID_RESPONSE_RECEIVED:	1352	case MID_RESPONSE_RECEIVED:
1358	credits_received = le16_to_cpu(buf->CreditRequest);	1353	credits_received = le16_to_cpu(buf->CreditRequest);
1359	/* result already set, check signature */	1354	/* result already set, check signature */
1360	if (server->sec_mode &	1355	if (server->sign) {
1361	(SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED)) {
1362	int rc;	1356	int rc;
1363		1357
1364	rc = smb2_verify_signature(&rqst, server);	1358	rc = smb2_verify_signature(&rqst, server);


diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c index 01f0ac800780..c802ecfa770e 100644 --- a/fs/cifs/smb2transport.c +++ b/fs/cifs/smb2transport.c
@@ -275,8 +275,7 @@ smb2_check_receive(struct mid_q_entry mid, struct TCP_Server_Info server,
275		275
276	dump_smb(mid->resp_buf, min_t(u32, 80, len));	276	dump_smb(mid->resp_buf, min_t(u32, 80, len));
277	/* convert the length into a more usable form */	277	/* convert the length into a more usable form */
278	if ((len > 24) &&	278	if (len > 24 && server->sign) {
279	(server->sec_mode & (SECMODE_SIGN_REQUIRED\|SECMODE_SIGN_ENABLED))) {
280	int rc;	279	int rc;
281		280
282	rc = smb2_verify_signature(&rqst, server);	281	rc = smb2_verify_signature(&rqst, server);


diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index bfbf4700d160..1996d6ceb833 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c
@@ -463,7 +463,7 @@ cifs_setup_async_request(struct TCP_Server_Info server, struct smb_rqst rqst)
463	struct mid_q_entry *mid;	463	struct mid_q_entry *mid;
464		464
465	/* enable signing if server requires it */	465	/* enable signing if server requires it */
466	if (server->sec_mode & (SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))	466	if (server->sign)
467	hdr->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;	467	hdr->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
468		468
469	mid = AllocMidQEntry(hdr, server);	469	mid = AllocMidQEntry(hdr, server);
@@ -612,7 +612,7 @@ cifs_check_receive(struct mid_q_entry mid, struct TCP_Server_Info server,
612	dump_smb(mid->resp_buf, min_t(u32, 92, len));	612	dump_smb(mid->resp_buf, min_t(u32, 92, len));
613		613
614	/* convert the length into a more usable form */	614	/* convert the length into a more usable form */
615	if (server->sec_mode & (SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED)) {	615	if (server->sign) {
616	struct kvec iov;	616	struct kvec iov;
617	int rc = 0;	617	int rc = 0;
618	struct smb_rqst rqst = { .rq_iov = &iov,	618	struct smb_rqst rqst = { .rq_iov = &iov,