Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 762e5ab7 authored by Steve French's avatar Steve French
Browse files

[CIFS] Fix sign mount option and sign proc config setting



We were checking the wrong (old) global variable to determine
whether to override server and force signing on the SMB
connection.

Acked-by: default avatarDave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 467a8f8d
Loading
Loading
Loading
Loading
+8 −84
Original line number Original line Diff line number Diff line
@@ -901,90 +901,14 @@ security_flags_write(struct file *file, const char __user *buffer,
	}
	}
	/* flags look ok - update the global security flags for cifs module */
	/* flags look ok - update the global security flags for cifs module */
	extended_security = flags;
	extended_security = flags;
	if (extended_security & CIFSSEC_MUST_SIGN) {
		/* requiring signing implies signing is allowed */
		extended_security |= CIFSSEC_MAY_SIGN;
		cFYI(1, ("packet signing now required"));
	} else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
		cFYI(1, ("packet signing disabled"));
	}
	/* BB should we turn on MAY flags for other MUST options? */
	return count;
	return count;
}
}

/* static int
ntlmv2_enabled_read(char *page, char **start, off_t off,
		       int count, int *eof, void *data)
{
	int len;

	len = sprintf(page, "%d\n", ntlmv2_support);

	len -= off;
	*start = page + off;

	if (len > count)
		len = count;
	else
		*eof = 1;

	if (len < 0)
		len = 0;

	return len;
}
static int
ntlmv2_enabled_write(struct file *file, const char __user *buffer,
			unsigned long count, void *data)
{
	char c;
	int rc;

	rc = get_user(c, buffer);
	if (rc)
		return rc;
	if (c == '0' || c == 'n' || c == 'N')
		ntlmv2_support = 0;
	else if (c == '1' || c == 'y' || c == 'Y')
		ntlmv2_support = 1;
	else if (c == '2')
		ntlmv2_support = 2;

	return count;
}

static int
packet_signing_enabled_read(char *page, char **start, off_t off,
		       int count, int *eof, void *data)
{
	int len;

	len = sprintf(page, "%d\n", sign_CIFS_PDUs);

	len -= off;
	*start = page + off;

	if (len > count)
		len = count;
	else
		*eof = 1;

	if (len < 0)
		len = 0;

	return len;
}
static int
packet_signing_enabled_write(struct file *file, const char __user *buffer,
			unsigned long count, void *data)
{
	char c;
	int rc;

	rc = get_user(c, buffer);
	if (rc)
		return rc;
	if (c == '0' || c == 'n' || c == 'N')
		sign_CIFS_PDUs = 0;
	else if (c == '1' || c == 'y' || c == 'Y')
		sign_CIFS_PDUs = 1;
	else if (c == '2')
		sign_CIFS_PDUs = 2;

	return count;
} */


#endif
#endif
+21 −11
Original line number Original line Diff line number Diff line
@@ -426,7 +426,7 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)


	/* if any of auth flags (ie not sign or seal) are overriden use them */
	/* if any of auth flags (ie not sign or seal) are overriden use them */
	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
	if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
		secFlags = ses->overrideSecFlg;
		secFlags = ses->overrideSecFlg;  /* BB FIXME fix sign flags? */
	else /* if override flags set only sign/seal OR them with global auth */
	else /* if override flags set only sign/seal OR them with global auth */
		secFlags = extended_security | ses->overrideSecFlg;
		secFlags = extended_security | ses->overrideSecFlg;


@@ -633,22 +633,32 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
#ifdef CONFIG_CIFS_WEAK_PW_HASH
#ifdef CONFIG_CIFS_WEAK_PW_HASH
signing_check:
signing_check:
#endif
#endif
	if(sign_CIFS_PDUs == FALSE) {        
	if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
		/* MUST_SIGN already includes the MAY_SIGN FLAG
		   so if this is zero it means that signing is disabled */
		cFYI(1, ("Signing disabled"));
		if(server->secMode & SECMODE_SIGN_REQUIRED)
		if(server->secMode & SECMODE_SIGN_REQUIRED)
			cERROR(1, ("Server requires "
			cERROR(1, ("Server requires "
				 "/proc/fs/cifs/PacketSigningEnabled to be on"));
				   "/proc/fs/cifs/PacketSigningEnabled "
				   "to be on"));
		server->secMode &= 
		server->secMode &= 
			~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
			~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
	} else if(sign_CIFS_PDUs == 1) {
	} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
		/* signing required */
		cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
		if ((server->secMode &
			(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
			cERROR(1,
				("signing required but server lacks support"));
		} else
			server->secMode |= SECMODE_SIGN_REQUIRED;
	} else {
		/* signing optional ie CIFSSEC_MAY_SIGN */
		if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
		if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
			server->secMode &= 
			server->secMode &= 
				~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
				~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
	} else if(sign_CIFS_PDUs == 2) {
		if((server->secMode & 
			(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
			cERROR(1,("signing required but server lacks support"));
		}
	}
	}
	
neg_err_exit:	
neg_err_exit:	
	cifs_buf_release(pSMB);
	cifs_buf_release(pSMB);