mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-14 00:04:00 +08:00
cifs: move handling of signed connections into separate function
Move the sanity checks for signed connections into a separate function. SMB2's was a cut-and-paste job from CIFS code, so we can make them use the same function. Signed-off-by: Jeff Layton <jlayton@redhat.com> Reviewed-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Steve French <smfrench@gmail.com>
This commit is contained in:
parent
2190eca1d0
commit
9ddec56131
@ -212,6 +212,7 @@ extern int cifs_negotiate_protocol(const unsigned int xid,
|
|||||||
struct cifs_ses *ses);
|
struct cifs_ses *ses);
|
||||||
extern int cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
|
extern int cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
|
||||||
struct nls_table *nls_info);
|
struct nls_table *nls_info);
|
||||||
|
extern int cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags);
|
||||||
extern int CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses);
|
extern int CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses);
|
||||||
|
|
||||||
extern int CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
|
extern int CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
|
||||||
|
@ -417,6 +417,38 @@ decode_ext_sec_blob(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
cifs_enable_signing(struct TCP_Server_Info *server, unsigned int secFlags)
|
||||||
|
{
|
||||||
|
if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
|
||||||
|
/* MUST_SIGN already includes the MAY_SIGN FLAG
|
||||||
|
so if this is zero it means that signing is disabled */
|
||||||
|
cifs_dbg(FYI, "Signing disabled\n");
|
||||||
|
if (server->sec_mode & SECMODE_SIGN_REQUIRED) {
|
||||||
|
cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
}
|
||||||
|
server->sec_mode &=
|
||||||
|
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
|
||||||
|
} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
|
||||||
|
/* signing required */
|
||||||
|
cifs_dbg(FYI, "Must sign - secFlags 0x%x\n", secFlags);
|
||||||
|
if ((server->sec_mode &
|
||||||
|
(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
|
||||||
|
cifs_dbg(VFS, "signing required but server lacks support\n");
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
} else
|
||||||
|
server->sec_mode |= SECMODE_SIGN_REQUIRED;
|
||||||
|
} else {
|
||||||
|
/* signing optional ie CIFSSEC_MAY_SIGN */
|
||||||
|
if ((server->sec_mode & SECMODE_SIGN_REQUIRED) == 0)
|
||||||
|
server->sec_mode &=
|
||||||
|
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_CIFS_WEAK_PW_HASH
|
#ifdef CONFIG_CIFS_WEAK_PW_HASH
|
||||||
static int
|
static int
|
||||||
decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
|
decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
|
||||||
@ -577,10 +609,7 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
|
|||||||
goto neg_err_exit;
|
goto neg_err_exit;
|
||||||
} else if (pSMBr->hdr.WordCount == 13) {
|
} else if (pSMBr->hdr.WordCount == 13) {
|
||||||
rc = decode_lanman_negprot_rsp(server, pSMBr, secFlags);
|
rc = decode_lanman_negprot_rsp(server, pSMBr, secFlags);
|
||||||
if (!rc)
|
goto signing_check;
|
||||||
goto signing_check;
|
|
||||||
else
|
|
||||||
goto neg_err_exit;
|
|
||||||
} else if (pSMBr->hdr.WordCount != 17) {
|
} else if (pSMBr->hdr.WordCount != 17) {
|
||||||
/* unknown wct */
|
/* unknown wct */
|
||||||
rc = -EOPNOTSUPP;
|
rc = -EOPNOTSUPP;
|
||||||
@ -642,36 +671,9 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
|
|||||||
else
|
else
|
||||||
server->capabilities &= ~CAP_EXTENDED_SECURITY;
|
server->capabilities &= ~CAP_EXTENDED_SECURITY;
|
||||||
|
|
||||||
if (rc)
|
|
||||||
goto neg_err_exit;
|
|
||||||
|
|
||||||
signing_check:
|
signing_check:
|
||||||
if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
|
if (!rc)
|
||||||
/* MUST_SIGN already includes the MAY_SIGN FLAG
|
rc = cifs_enable_signing(server, secFlags);
|
||||||
so if this is zero it means that signing is disabled */
|
|
||||||
cifs_dbg(FYI, "Signing disabled\n");
|
|
||||||
if (server->sec_mode & SECMODE_SIGN_REQUIRED) {
|
|
||||||
cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");
|
|
||||||
rc = -EOPNOTSUPP;
|
|
||||||
}
|
|
||||||
server->sec_mode &=
|
|
||||||
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
|
|
||||||
} else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
|
|
||||||
/* signing required */
|
|
||||||
cifs_dbg(FYI, "Must sign - secFlags 0x%x\n", secFlags);
|
|
||||||
if ((server->sec_mode &
|
|
||||||
(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
|
|
||||||
cifs_dbg(VFS, "signing required but server lacks support\n");
|
|
||||||
rc = -EOPNOTSUPP;
|
|
||||||
} else
|
|
||||||
server->sec_mode |= SECMODE_SIGN_REQUIRED;
|
|
||||||
} else {
|
|
||||||
/* signing optional ie CIFSSEC_MAY_SIGN */
|
|
||||||
if ((server->sec_mode & SECMODE_SIGN_REQUIRED) == 0)
|
|
||||||
server->sec_mode &=
|
|
||||||
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
|
|
||||||
}
|
|
||||||
|
|
||||||
neg_err_exit:
|
neg_err_exit:
|
||||||
cifs_buf_release(pSMB);
|
cifs_buf_release(pSMB);
|
||||||
|
|
||||||
|
@ -423,36 +423,11 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
|
|||||||
}
|
}
|
||||||
|
|
||||||
cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);
|
cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);
|
||||||
if ((sec_flags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
|
rc = cifs_enable_signing(server, sec_flags);
|
||||||
cifs_dbg(FYI, "Signing required\n");
|
|
||||||
if (!(server->sec_mode & (SMB2_NEGOTIATE_SIGNING_REQUIRED |
|
|
||||||
SMB2_NEGOTIATE_SIGNING_ENABLED))) {
|
|
||||||
cifs_dbg(VFS, "signing required but server lacks support\n");
|
|
||||||
rc = -EOPNOTSUPP;
|
|
||||||
goto neg_exit;
|
|
||||||
}
|
|
||||||
server->sec_mode |= SECMODE_SIGN_REQUIRED;
|
|
||||||
} else if (sec_flags & CIFSSEC_MAY_SIGN) {
|
|
||||||
cifs_dbg(FYI, "Signing optional\n");
|
|
||||||
if (server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
|
|
||||||
cifs_dbg(FYI, "Server requires signing\n");
|
|
||||||
server->sec_mode |= SECMODE_SIGN_REQUIRED;
|
|
||||||
} else {
|
|
||||||
server->sec_mode &=
|
|
||||||
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
cifs_dbg(FYI, "Signing disabled\n");
|
|
||||||
if (server->sec_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
|
|
||||||
cifs_dbg(VFS, "Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags\n");
|
|
||||||
rc = -EOPNOTSUPP;
|
|
||||||
goto neg_exit;
|
|
||||||
}
|
|
||||||
server->sec_mode &=
|
|
||||||
~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */
|
#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */
|
||||||
|
if (rc)
|
||||||
|
goto neg_exit;
|
||||||
|
|
||||||
rc = decode_neg_token_init(security_blob, blob_length,
|
rc = decode_neg_token_init(security_blob, blob_length,
|
||||||
&server->sec_type);
|
&server->sec_type);
|
||||||
if (rc == 1)
|
if (rc == 1)
|
||||||
|
Loading…
Reference in New Issue
Block a user