summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'tags/2.6.18-5/30026_cifs-fix-sign-settings.patch')
-rw-r--r--tags/2.6.18-5/30026_cifs-fix-sign-settings.patch179
1 files changed, 179 insertions, 0 deletions
diff --git a/tags/2.6.18-5/30026_cifs-fix-sign-settings.patch b/tags/2.6.18-5/30026_cifs-fix-sign-settings.patch
new file mode 100644
index 0000000..11f8021
--- /dev/null
+++ b/tags/2.6.18-5/30026_cifs-fix-sign-settings.patch
@@ -0,0 +1,179 @@
+From: Steve French <sfrench@us.ibm.com>
+Date: Thu, 28 Jun 2007 18:41:42 +0000 (+0000)
+Subject: [CIFS] Fix sign mount option and sign proc config setting
+X-Git-Tag: v2.6.23-rc1~478^2~20
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=762e5ab77c803c819e45d054518a98efb70b0f60
+
+[CIFS] Fix sign mount option and sign proc config setting
+
+We were checking the wrong (old) global variable to determine
+whether to override server and force signing on the SMB
+connection.
+
+Acked-by: Dave Kleikamp <shaggy@austin.ibm.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/cifs_debug.c linux-source-2.6.18/fs/cifs/cifs_debug.c
+--- linux-source-2.6.18.orig/fs/cifs/cifs_debug.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/cifs_debug.c 2007-08-27 23:12:40.666200121 -0600
+@@ -895,90 +895,14 @@ security_flags_write(struct file *file,
+ }
+ /* flags look ok - update the global security flags for cifs module */
+ extended_security = flags;
++ if (extended_security & CIFSSEC_MUST_SIGN) {
++ /* requiring signing implies signing is allowed */
++ extended_security |= CIFSSEC_MAY_SIGN;
++ cFYI(1, ("packet signing now required"));
++ } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) {
++ cFYI(1, ("packet signing disabled"));
++ }
++ /* BB should we turn on MAY flags for other MUST options? */
+ return count;
+ }
+-
+-/* static int
+-ntlmv2_enabled_read(char *page, char **start, off_t off,
+- int count, int *eof, void *data)
+-{
+- int len;
+-
+- len = sprintf(page, "%d\n", ntlmv2_support);
+-
+- len -= off;
+- *start = page + off;
+-
+- if (len > count)
+- len = count;
+- else
+- *eof = 1;
+-
+- if (len < 0)
+- len = 0;
+-
+- return len;
+-}
+-static int
+-ntlmv2_enabled_write(struct file *file, const char __user *buffer,
+- unsigned long count, void *data)
+-{
+- char c;
+- int rc;
+-
+- rc = get_user(c, buffer);
+- if (rc)
+- return rc;
+- if (c == '0' || c == 'n' || c == 'N')
+- ntlmv2_support = 0;
+- else if (c == '1' || c == 'y' || c == 'Y')
+- ntlmv2_support = 1;
+- else if (c == '2')
+- ntlmv2_support = 2;
+-
+- return count;
+-}
+-
+-static int
+-packet_signing_enabled_read(char *page, char **start, off_t off,
+- int count, int *eof, void *data)
+-{
+- int len;
+-
+- len = sprintf(page, "%d\n", sign_CIFS_PDUs);
+-
+- len -= off;
+- *start = page + off;
+-
+- if (len > count)
+- len = count;
+- else
+- *eof = 1;
+-
+- if (len < 0)
+- len = 0;
+-
+- return len;
+-}
+-static int
+-packet_signing_enabled_write(struct file *file, const char __user *buffer,
+- unsigned long count, void *data)
+-{
+- char c;
+- int rc;
+-
+- rc = get_user(c, buffer);
+- if (rc)
+- return rc;
+- if (c == '0' || c == 'n' || c == 'N')
+- sign_CIFS_PDUs = 0;
+- else if (c == '1' || c == 'y' || c == 'Y')
+- sign_CIFS_PDUs = 1;
+- else if (c == '2')
+- sign_CIFS_PDUs = 2;
+-
+- return count;
+-} */
+-
+-
+ #endif
+diff -urpN linux-source-2.6.18.orig/fs/cifs/cifssmb.c linux-source-2.6.18/fs/cifs/cifssmb.c
+--- linux-source-2.6.18.orig/fs/cifs/cifssmb.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/cifssmb.c 2007-08-27 23:12:40.678200384 -0600
+@@ -411,11 +411,11 @@ CIFSSMBNegotiate(unsigned int xid, struc
+
+ /* if any of auth flags (ie not sign or seal) are overriden use them */
+ if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
+- secFlags = ses->overrideSecFlg;
++ secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */
+ else /* if override flags set only sign/seal OR them with global auth */
+ secFlags = extended_security | ses->overrideSecFlg;
+
+- cFYI(1,("secFlags 0x%x",secFlags));
++ cFYI(1, ("secFlags 0x%x", secFlags));
+
+ pSMB->hdr.Mid = GetNextMid(server);
+ pSMB->hdr.Flags2 |= SMBFLG2_UNICODE;
+@@ -582,22 +582,32 @@ CIFSSMBNegotiate(unsigned int xid, struc
+ #ifdef CONFIG_CIFS_WEAK_PW_HASH
+ signing_check:
+ #endif
+- if(sign_CIFS_PDUs == FALSE) {
++ if ((secFlags & CIFSSEC_MAY_SIGN) == 0) {
++ /* MUST_SIGN already includes the MAY_SIGN FLAG
++ so if this is zero it means that signing is disabled */
++ cFYI(1, ("Signing disabled"));
+ if(server->secMode & SECMODE_SIGN_REQUIRED)
+- cERROR(1,("Server requires "
+- "/proc/fs/cifs/PacketSigningEnabled to be on"));
++ cERROR(1, ("Server requires "
++ "/proc/fs/cifs/PacketSigningEnabled "
++ "to be on"));
+ server->secMode &=
+ ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
+- } else if(sign_CIFS_PDUs == 1) {
++ } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) {
++ /* signing required */
++ cFYI(1, ("Must sign - segFlags 0x%x", secFlags));
++ if ((server->secMode &
++ (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
++ cERROR(1,
++ ("signing required but server lacks support"));
++ } else
++ server->secMode |= SECMODE_SIGN_REQUIRED;
++ } else {
++ /* signing optional ie CIFSSEC_MAY_SIGN */
+ if((server->secMode & SECMODE_SIGN_REQUIRED) == 0)
+ server->secMode &=
+ ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED);
+- } else if(sign_CIFS_PDUs == 2) {
+- if((server->secMode &
+- (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) {
+- cERROR(1,("signing required but server lacks support"));
+- }
+ }
++
+ neg_err_exit:
+ cifs_buf_release(pSMB);
+