[CIFS] Fix sign mount option and sign proc config setting
authorSteve French <sfrench@us.ibm.com>
Thu, 28 Jun 2007 18:41:42 +0000 (18:41 +0000)
committerSteve French <sfrench@us.ibm.com>
Thu, 28 Jun 2007 18:41:42 +0000 (18:41 +0000)
We were checking the wrong (old) global variable to determine
whether to override server and force signing on the SMB
connection.

Acked-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
fs/cifs/cifs_debug.c
fs/cifs/cifssmb.c

index ebd13358cca6bb840b6c62078a60a61c7ed9c0c6..42fafa144f40520949093e138d2d19199e392668 100644 (file)
@@ -901,90 +901,14 @@ security_flags_write(struct file *file, const char __user *buffer,
        }
        /* flags look ok - update the global security flags for cifs module */
        extended_security = flags;
+       if (extended_security & CIFSSEC_MUST_SIGN) {
+               /* requiring signing implies signing is allowed */
+               extended_security |= CIFSSEC_MAY_SIGN;
+               cFYI(1, ("packet signing now required"));
+       } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
+               cFYI(1, ("packet signing disabled"));
+       }
+       /* BB should we turn on MAY flags for other MUST options? */
        return count;
 }
-
-/* static int
-ntlmv2_enabled_read(char *page, char **start, off_t off,
-                      int count, int *eof, void *data)
-{
-       int len;
-
-       len = sprintf(page, "%d\n", ntlmv2_support);
-
-       len -= off;
-       *start = page + off;
-
-       if (len > count)
-               len = count;
-       else
-               *eof = 1;
-
-       if (len < 0)
-               len = 0;
-
-       return len;
-}
-static int
-ntlmv2_enabled_write(struct file *file, const char __user *buffer,
-                       unsigned long count, void *data)
-{
-       char c;
-       int rc;
-
-       rc = get_user(c, buffer);
-       if (rc)
-               return rc;
-       if (c == '0' || c == 'n' || c == 'N')
-               ntlmv2_support = 0;
-       else if (c == '1' || c == 'y' || c == 'Y')
-               ntlmv2_support = 1;
-       else if (c == '2')
-               ntlmv2_support = 2;
-
-       return count;
-}
-
-static int
-packet_signing_enabled_read(char *page, char **start, off_t off,
-                      int count, int *eof, void *data)
-{
-       int len;
-
-       len = sprintf(page, "%d\n", sign_CIFS_PDUs);
-
-       len -= off;
-       *start = page + off;
-
-       if (len > count)
-               len = count;
-       else
-               *eof = 1;
-
-       if (len < 0)
-               len = 0;
-
-       return len;
-}
-static int
-packet_signing_enabled_write(struct file *file, const char __user *buffer,
-                       unsigned long count, void *data)
-{
-       char c;
-       int rc;
-
-       rc = get_user(c, buffer);
-       if (rc)
-               return rc;
-       if (c == '0' || c == 'n' || c == 'N')
-               sign_CIFS_PDUs = 0;
-       else if (c == '1' || c == 'y' || c == 'Y')
-               sign_CIFS_PDUs = 1;
-       else if (c == '2')
-               sign_CIFS_PDUs = 2;
-
-       return count;
-} */
-
-
 #endif
index 57419a176688356cec33d80e2c89d22b13d0fedc..4a2458e787847967d8f046173be9c21e0daf24ef 100644 (file)
@@ -426,11 +426,11 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 
        /* if any of auth flags (ie not sign or seal) are overriden use them */
        if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-               secFlags = ses->overrideSecFlg;
+               secFlags = ses->overrideSecFlg;  /* BB FIXME fix sign flags? */
        else /* if override flags set only sign/seal OR them with global auth */
                secFlags = extended_security | ses->overrideSecFlg;
 
-       cFYI(1,("secFlags 0x%x",secFlags));
+       cFYI(1, ("secFlags 0x%x", secFlags));
 
        pSMB->hdr.Mid = GetNextMid(server);
        pSMB->hdr.Flags2 |= (SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS);
@@ -633,22 +633,32 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
 signing_check:
 #endif
-       if(sign_CIFS_PDUs == FALSE) {        
+       if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
+               /* MUST_SIGN already includes the MAY_SIGN FLAG
+                  so if this is zero it means that signing is disabled */
+               cFYI(1, ("Signing disabled"));
                if(server->secMode & SECMODE_SIGN_REQUIRED)
-                       cERROR(1,("Server requires "
-                                "/proc/fs/cifs/PacketSigningEnabled to be on"));
+                       cERROR(1, ("Server requires "
+                                  "/proc/fs/cifs/PacketSigningEnabled "
+                                  "to be on"));
                server->secMode &= 
                        ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
-       } else if(sign_CIFS_PDUs == 1) {
+       } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
+               /* signing required */
+               cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
+               if ((server->secMode &
+                       (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+                       cERROR(1,
+                               ("signing required but server lacks support"));
+               } else
+                       server->secMode |= SECMODE_SIGN_REQUIRED;
+       } else {
+               /* signing optional ie CIFSSEC_MAY_SIGN */
                if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
                        server->secMode &= 
                                ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
-       } else if(sign_CIFS_PDUs == 2) {
-               if((server->secMode & 
-                       (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
-                       cERROR(1,("signing required but server lacks support"));
-               }
        }
+       
 neg_err_exit:  
        cifs_buf_release(pSMB);