Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 750d1151 authored by Steve French's avatar Steve French
Browse files

[CIFS] Fix allocation of buffers for new session setup routine to allow


longer user and domain names and allow passing sec options on mount

Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 124a27fe
Loading
Loading
Loading
Loading
+2 −1
Original line number Diff line number Diff line
@@ -7,7 +7,8 @@ so we can do search (ls etc.) to OS/2. Do not send NTCreateX
or recent levels of FindFirst unless server says it supports NT SMBs
(instead use legacy equivalents from LANMAN dialect). Fix to allow
NTLMv2 authentication support (now can use stronger password hashing
on mount if corresponding /proc/fs/cifs/SecurityFlags is set (0x4004)
on mount if corresponding /proc/fs/cifs/SecurityFlags is set (0x4004).
Allow override of global cifs security flags on mount via "sec=" option(s).

Version 1.43
------------
+4 −1
Original line number Diff line number Diff line
@@ -443,6 +443,9 @@ A partial list of the supported mount options follows:
		SFU does).  In the future the bottom 9 bits of the mode
		mode also will be emulated using queries of the security
		descriptor (ACL).
 sign           Must use packet signing (helps avoid unwanted data modification
		by intermediate systems in the route).  Note that signing
		does not work with lanman or plaintext authentication.
 sec            Security mode.  Allowed values are:
			none	attempt to connection as a null user (no name)
			krb5    Use Kerberos version 5 authentication
+1 −0
Original line number Diff line number Diff line
@@ -186,6 +186,7 @@ struct cifsSesInfo {
	struct TCP_Server_Info *server;	/* pointer to server info */
	atomic_t inUse; /* # of mounts (tree connections) on this ses */
	enum statusEnum status;
	unsigned overrideSecFlg;  /* if non-zero override global sec flags */
	__u16 ipc_tid;		/* special tid for connection to IPC share */
	__u16 flags;
	char *serverOS;		/* name of operating system underlying server */
+13 −5
Original line number Diff line number Diff line
@@ -396,6 +396,7 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
	int i;
	struct TCP_Server_Info * server;
	u16 count;
	unsigned int secFlags;

	if(ses->server)
		server = ses->server;
@@ -407,9 +408,16 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
		      (void **) &pSMB, (void **) &pSMBr);
	if (rc)
		return rc;

	/* if any of auth flags (ie not sign or seal) are overriden use them */
	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
		secFlags = ses->overrideSecFlg;
	else /* if override flags set only sign/seal OR them with global auth */
		secFlags = extended_security | ses->overrideSecFlg;

	pSMB->hdr.Mid = GetNextMid(server);
	pSMB->hdr.Flags2 |= SMBFLG2_UNICODE;
	if((extended_security & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
	if((secFlags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
		pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
	
	count = 0;
@@ -439,8 +447,8 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
			&& (pSMBr->DialectIndex == LANMAN_PROT)) {
		struct lanman_neg_rsp * rsp = (struct lanman_neg_rsp *)pSMBr;

		if((extended_security & CIFSSEC_MAY_LANMAN) || 
			(extended_security & CIFSSEC_MAY_PLNTXT))
		if((secFlags & CIFSSEC_MAY_LANMAN) || 
			(secFlags & CIFSSEC_MAY_PLNTXT))
			server->secType = LANMAN;
		else {
			cERROR(1, ("mount failed weak security disabled"
@@ -498,12 +506,12 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)

	if((server->secMode & SECMODE_PW_ENCRYPT) == 0)
#ifdef CONFIG_CIFS_WEAK_PW_HASH
		if ((extended_security & CIFSSEC_MAY_PLNTXT) == 0)
		if ((secFlags & CIFSSEC_MAY_PLNTXT) == 0)
#endif /* CIFS_WEAK_PW_HASH */
			cERROR(1,("Server requests plain text password"
				  " but client support disabled"));

	if(extended_security & CIFSSEC_MUST_NTLMV2)
	if(secFlags & CIFSSEC_MUST_NTLMV2)
		server->secType = NTLMv2;
	else
		server->secType = NTLM;
+14 −9
Original line number Diff line number Diff line
@@ -915,32 +915,32 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
				cERROR(1,("no security value specified"));
                                continue;
                        } else if (strnicmp(value, "krb5i", 5) == 0) {
				vol->secFlg = CIFSSEC_MAY_KRB5 | 
				vol->secFlg |= CIFSSEC_MAY_KRB5 | 
					CIFSSEC_MUST_SIGN;
			} else if (strnicmp(value, "krb5p", 5) == 0) {
				/* vol->secFlg = CIFSSEC_MUST_SEAL | 
				/* vol->secFlg |= CIFSSEC_MUST_SEAL | 
					CIFSSEC_MAY_KRB5; */ 
				cERROR(1,("Krb5 cifs privacy not supported"));
				return 1;
			} else if (strnicmp(value, "krb5", 4) == 0) {
				vol->secFlg = CIFSSEC_MAY_KRB5;
				vol->secFlg |= CIFSSEC_MAY_KRB5;
			} else if (strnicmp(value, "ntlmv2i", 7) == 0) {
				vol->secFlg = CIFSSEC_MAY_NTLMV2 |
				vol->secFlg |= CIFSSEC_MAY_NTLMV2 |
					CIFSSEC_MUST_SIGN;
			} else if (strnicmp(value, "ntlmv2", 6) == 0) {
				vol->secFlg = CIFSSEC_MAY_NTLMV2;
				vol->secFlg |= CIFSSEC_MAY_NTLMV2;
			} else if (strnicmp(value, "ntlmi", 5) == 0) {
				vol->secFlg = CIFSSEC_MAY_NTLM |
				vol->secFlg |= CIFSSEC_MAY_NTLM |
					CIFSSEC_MUST_SIGN;
			} else if (strnicmp(value, "ntlm", 4) == 0) {
				/* ntlm is default so can be turned off too */
				vol->secFlg = CIFSSEC_MAY_NTLM;
				vol->secFlg |= CIFSSEC_MAY_NTLM;
			} else if (strnicmp(value, "nontlm", 6) == 0) {
				/* BB is there a better way to do this? */
				vol->secFlg = CIFSSEC_MAY_NTLMV2;
				vol->secFlg |= CIFSSEC_MAY_NTLMV2;
#ifdef CONFIG_CIFS_WEAK_PW_HASH
			} else if (strnicmp(value, "lanman", 6) == 0) {
                                vol->secFlg = CIFSSEC_MAY_LANMAN;
                                vol->secFlg |= CIFSSEC_MAY_LANMAN;
#endif
			} else if (strnicmp(value, "none", 4) == 0) {
				vol->nullauth = 1;
@@ -1173,6 +1173,10 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
			vol->no_psx_acl = 0;
		} else if (strnicmp(data, "noacl",5) == 0) {
			vol->no_psx_acl = 1;
		} else if (strnicmp(data, "sign",4) == 0) {
			vol->secFlg |= CIFSSEC_MUST_SIGN;
/*		} else if (strnicmp(data, "seal",4) == 0) {
			vol->secFlg |= CIFSSEC_MUST_SEAL; */
		} else if (strnicmp(data, "direct",6) == 0) {
			vol->direct_io = 1;
		} else if (strnicmp(data, "forcedirectio",13) == 0) {
@@ -1776,6 +1780,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
						volume_info.domainname);
			}
			pSesInfo->linux_uid = volume_info.linux_uid;
			pSesInfo->overrideSecFlg = volume_info.secFlg;
			down(&pSesInfo->sesSem);
			/* BB FIXME need to pass vol->secFlgs BB */
			rc = cifs_setup_session(xid,pSesInfo, cifs_sb->local_nls);
Loading