From patchwork Fri Apr 20 22:11:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 10353777 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BE422602B7 for ; Fri, 20 Apr 2018 22:11:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2E15283E8 for ; Fri, 20 Apr 2018 22:11:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 97817288C3; Fri, 20 Apr 2018 22:11:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2058E283E8 for ; Fri, 20 Apr 2018 22:11:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752144AbeDTWLc (ORCPT ); Fri, 20 Apr 2018 18:11:32 -0400 Received: from mail-pl0-f47.google.com ([209.85.160.47]:40484 "EHLO mail-pl0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752558AbeDTWLc (ORCPT ); Fri, 20 Apr 2018 18:11:32 -0400 Received: by mail-pl0-f47.google.com with SMTP id t22-v6so5951651plo.7 for ; Fri, 20 Apr 2018 15:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Xw2g520w9dusybQxKjqkAg8HDdxqSY5EAPNyfvlfGVw=; b=H3TrT18LJDti39dJpZ7fQ8EH1rzxYL9ZoTa0z6wGC1zsu1S62MmTqxpj+EeTjEZevv HpHW4LGFkueID4pvF5cQHSvGuY2SFQtOxWuuupo/iO53t5k0v5YZ6nMLQ6MZ4VVTgvNs JA4VKc+4V0toamOkq+bnnqKOGno6z5I2J9L/is1Ix3339gBnJyAEWzteK8ooA2IwlX8E 1R9AGBWteFu5cxhktZZAtmm6rLuoMJ1qsgZm5belKhJXBJ0Fe5F1YbLr4DjPunUsQGPL Kt8Z+tRTVAmOIMwjVhj2KzFOcyEiej4p6Q1QKBKzZRw9Te1ijr264C5ExQF22uW/HW1G pGDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Xw2g520w9dusybQxKjqkAg8HDdxqSY5EAPNyfvlfGVw=; b=mFAePVQvuAcQjiCRf2q4ZmIhS6YBMk44RpRDAaMq9Pu1nXqm3XxRlhoi2UgvKNip/T bet0RGHxBLDG/aRuABzkyudSsrcY+Iff0vaUtD47iK8UJqJQQR53WoYEMZVV9LVbtu8p W2p9Eb+F5e4363BC1drpgjvWMTbLNVlnOeVpDZfrl5dU525NsvCwlv5p/Yv1+1yMcanb qUrnKzNFWUG9o8AzhDyH+A6AtW0vqGJuo/gkHL/30kMe1WzQU5UbfCelFLZLRyHI/uBu cB7C6qE3mNu4606nYKkY86OHeyXYY+r2pIbjQ9Tca8/4LmAYgNOLb7x8bW8Ew0JFYzgh /AIQ== X-Gm-Message-State: ALQs6tCxNVU5ZdEZlTyUuzDgyGEuBkstxfo0f3X1S4pIoyLr9o0UJTLu 8XNjO33MNy6rS7o9CTkT7HmLzmckh/KI9YipuV514w== X-Google-Smtp-Source: AIpwx49AaK0+Tqreq6DvmtDXXaAH7bB5qiDnoSRM/xUwh7mXk3Eii1WDFVrwwRVW9x9cCXBLYRCekkWNg7E9j/9oTTE= X-Received: by 2002:a17:902:a603:: with SMTP id u3-v6mr11822779plq.214.1524262290939; Fri, 20 Apr 2018 15:11:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.152.97 with HTTP; Fri, 20 Apr 2018 15:11:10 -0700 (PDT) From: Steve French Date: Fri, 20 Apr 2018 17:11:10 -0500 Message-ID: Subject: encrypt the tcon itself if seal requested on mount and set encryption support for 3.11 properly To: CIFS , samba-technical Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch doesn't fix all the problems (mount with 3.11 and "seal" fails presumably because the validate negotiate like hash for the signature is not attached to the tcon the right way - signing is usually disabled when encryption is enabled). Should the signature be also included in the frame even if the tcon is encryption in SMB3.11? From f1f488e9af87dc07f96769e4d834ccbea478e746 Mon Sep 17 00:00:00 2001 From: Steve French Date: Fri, 20 Apr 2018 17:04:14 -0500 Subject: [PATCH] SMB3: Make sure encryption set for 3.11 and handle encrypted smb3 tcon The tree connect request itself should be encrypted if the client requests encryption ("seal" on mount), in addition we should be enabling encryption in 3.11 based on whether we got any valid encryption ciphers back in negprot (the corresponding session flag is not set as it is in 3.0 and 3.02) Signed-off-by: Steve French CC: Stable --- fs/cifs/connect.c | 32 ++++++++++++++++---------------- fs/cifs/smb2pdu.c | 1 + 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index e8830f076a7f..a5aa158d535a 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2959,6 +2959,22 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info) } } + if (volume_info->seal) { + if (ses->server->vals->protocol_id == 0) { + cifs_dbg(VFS, + "SMB3 or later required for encryption\n"); + rc = -EOPNOTSUPP; + goto out_fail; + } else if (tcon->ses->server->capabilities & + SMB2_GLOBAL_CAP_ENCRYPTION) + tcon->seal = true; + else { + cifs_dbg(VFS, "Encryption is not supported on share\n"); + rc = -EOPNOTSUPP; + goto out_fail; + } + } + /* * BB Do we need to wrap session_mutex around this TCon call and Unix * SetFS as we do on SessSetup and reconnect? @@ -3007,22 +3023,6 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info) tcon->use_resilient = true; } - if (volume_info->seal) { - if (ses->server->vals->protocol_id == 0) { - cifs_dbg(VFS, - "SMB3 or later required for encryption\n"); - rc = -EOPNOTSUPP; - goto out_fail; - } else if (tcon->ses->server->capabilities & - SMB2_GLOBAL_CAP_ENCRYPTION) - tcon->seal = true; - else { - cifs_dbg(VFS, "Encryption is not supported on share\n"); - rc = -EOPNOTSUPP; - goto out_fail; - } - } - /* * We can have only one retry value for a connection to a share so for * resources mounted more than once to the same server share the last diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 0f044c4a2dc9..b8928e389147 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -444,6 +444,7 @@ static int decode_encrypt_ctx(struct TCP_Server_Info *server, return -EINVAL; } server->cipher_type = ctxt->Ciphers[0]; + server->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; return 0; } -- 2.14.1