Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ddec561 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French
Browse files

cifs: move handling of signed connections into separate function 



Move the sanity checks for signed connections into a separate function.
SMB2's was a cut-and-paste job from CIFS code, so we can make them use
the same function.

Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Reviewed-by: default avatarPavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 2190eca1

fs/cifs/cifsproto.h

+1 −0
Original line number Diff line number Diff line
@@ -212,6 +212,7 @@ extern int cifs_negotiate_protocol(const unsigned int xid, 
				   struct cifs_ses *ses);

extern int cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,

			      struct nls_table *nls_info);

extern int cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags);

extern int CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses);



extern int CIFSTCon(const unsigned int xid, struct cifs_ses *ses,

fs/cifs/cifssmb.c

+35 −33
Original line number Diff line number Diff line
@@ -417,6 +417,38 @@ decode_ext_sec_blob(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr) 
	return 0;

}



int

cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags)

{

	if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {

		/* MUST_SIGN already includes the MAY_SIGN FLAG

		   so if this is zero it means that signing is disabled */

		cifs_dbg(FYI, "Signing disabled\n");

		if (server->sec_mode & SECMODE_SIGN_REQUIRED) {

			cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");

			return -EOPNOTSUPP;

		}

		server->sec_mode &=

			~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);

	} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {

		/* signing required */

		cifs_dbg(FYI, "Must sign - secFlags 0x%x\n", secFlags);

		if ((server->sec_mode &

			(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {

			cifs_dbg(VFS, "signing required but server lacks support\n");

			return -EOPNOTSUPP;

		} else

			server->sec_mode |= SECMODE_SIGN_REQUIRED;

	} else {

		/* signing optional ie CIFSSEC_MAY_SIGN */

		if ((server->sec_mode & SECMODE_SIGN_REQUIRED) == 0)

			server->sec_mode &=

				~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);

	}



	return 0;

}



#ifdef CONFIG_CIFS_WEAK_PW_HASH

static int

decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
@@ -577,10 +609,7 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses) 
		goto neg_err_exit;

	} else if (pSMBr->hdr.WordCount == 13) {

		rc = decode_lanman_negprot_rsp(server, pSMBr, secFlags);

		if (!rc)

		goto signing_check;

		else

			goto neg_err_exit;

	} else if (pSMBr->hdr.WordCount != 17) {

		/* unknown wct */

		rc = -EOPNOTSUPP;
@@ -642,36 +671,9 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses) 
	else

		server->capabilities &= ~CAP_EXTENDED_SECURITY;



	if (rc)

		goto neg_err_exit;



signing_check:

	if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {

		/* MUST_SIGN already includes the MAY_SIGN FLAG

		   so if this is zero it means that signing is disabled */

		cifs_dbg(FYI, "Signing disabled\n");

		if (server->sec_mode & SECMODE_SIGN_REQUIRED) {

			cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");

			rc = -EOPNOTSUPP;

		}

		server->sec_mode &=

			~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);

	} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {

		/* signing required */

		cifs_dbg(FYI, "Must sign - secFlags 0x%x\n", secFlags);

		if ((server->sec_mode &

			(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {

			cifs_dbg(VFS, "signing required but server lacks support\n");

			rc = -EOPNOTSUPP;

		} else

			server->sec_mode |= SECMODE_SIGN_REQUIRED;

	} else {

		/* signing optional ie CIFSSEC_MAY_SIGN */

		if ((server->sec_mode & SECMODE_SIGN_REQUIRED) == 0)

			server->sec_mode &=

				~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);

	}



	if (!rc)

		rc = cifs_enable_signing(server, secFlags);

neg_err_exit:

	cifs_buf_release(pSMB);

fs/cifs/smb2pdu.c

+4 −29
Original line number Diff line number Diff line
@@ -423,36 +423,11 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) 
	}



	cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);

	if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {

		cifs_dbg(FYI, "Signing required\n");

		if (!(server->sec_mode & (SMB2_NEGOTIATE_SIGNING_REQUIRED |

		      SMB2_NEGOTIATE_SIGNING_ENABLED))) {

			cifs_dbg(VFS, "signing required but server lacks support\n");

			rc = -EOPNOTSUPP;

			goto neg_exit;

		}

		server->sec_mode |= SECMODE_SIGN_REQUIRED;

	} else if (sec_flags & CIFSSEC_MAY_SIGN) {

		cifs_dbg(FYI, "Signing optional\n");

		if (server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {

			cifs_dbg(FYI, "Server requires signing\n");

			server->sec_mode |= SECMODE_SIGN_REQUIRED;

		} else {

			server->sec_mode &=

				~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);

		}

	} else {

		cifs_dbg(FYI, "Signing disabled\n");

		if (server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {

			cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");

			rc = -EOPNOTSUPP;

	rc = cifs_enable_signing(server, sec_flags);

#ifdef CONFIG_SMB2_ASN1  /* BB REMOVEME when updated asn1.c ready */

	if (rc)

		goto neg_exit;

		}

		server->sec_mode &=

			~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);

	}



#ifdef CONFIG_SMB2_ASN1  /* BB REMOVEME when updated asn1.c ready */

	rc = decode_neg_token_init(security_blob, blob_length,

				   &server->sec_type);

	if (rc == 1)