[08/15] CIFS: Enable encryption during session setup phase

Message ID	1481061758-52020-9-git-send-email-pshilov@microsoft.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-cifs-owner@kernel.org> From: Pavel Shilovsky <pshilov@microsoft.com> To: linux-cifs@vger.kernel.org Subject: [PATCH 08/15] CIFS: Enable encryption during session setup phase Date: Tue, 6 Dec 2016 14:02:31 -0800 Message-Id: <1481061758-52020-9-git-send-email-pshilov@microsoft.com> In-Reply-To: <1481061758-52020-1-git-send-email-pshilov@microsoft.com> References: <1481061758-52020-1-git-send-email-pshilov@microsoft.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY4PR03MB2549; 23:DmNxy3v1ol9AB/skCBlfTag9m7vx8s+AzpT1Z0P5h?= =?us-ascii?Q?A8EegcQ5A9SuUw/8dVSx6h+KcvkMPNfRh6xEm0wJMRwlheJtBY4k6gvDQl79?= =?us-ascii?Q?kd6XjXiXBbepZPtYhaBHRL/haDn7L9ayGt+TzXYapiGDbAzlrz8LBa6Utgkv?= =?us-ascii?Q?2qucZhO4SeJ16II3ACMCwharBOUjVCAmAvgeax1DZsaK4rfU1kjhC/+e9eyu?= =?us-ascii?Q?mmaDfXJhXeyxSLyR/VS7zj4HZ65X1oqsAKTqmwaZqv2WfbMElpTpMDsw7jK1?= =?us-ascii?Q?R90m/3ziQVWbXxJ5FIlNlPJRH3442FLBdM5XPRLwWvmjOCAs/qa3si1x9xzZ?= =?us-ascii?Q?GvIjy1SXIx9PW+gr5g5Xpsf485mJ+LcNmj5qzG8XB6xZy0/YCTO0gfn0MEVG?= =?us-ascii?Q?LyIc07EW4o23ExmZxmdYD4BysygtuNcJ+Mv8vwgy3EMaALQdnIWaJjzzCL57?= =?us-ascii?Q?c00Bpme+Y9jVwA+1uwIFu/5tr7ToclDPXo3HQF5QEyZzhkgUJRv/a/we+1kF?= =?us-ascii?Q?+s/nG/n+UMbdu1VmHce98/h0eGk/i6yrKN5872kWJPkm4yQ9Q67IBanraN40?= =?us-ascii?Q?Y58tcVeM7ZTGFFZuXSxoN4v9iaHYlVrYZt7hDiD0czwZIfRRKrBGZ17t42DM?= =?us-ascii?Q?WmYXwUGnLMU2ZKkQI3eI3A35En7WHWtg5m/y58L8MHLbYU02swmKPGoLCCsM?= =?us-ascii?Q?HI813+Gu/v9ClZqM0rgMvO4u+w6OMvWOx0fpN7TqR7WZqfxnr8F3iVw3+DiB?= =?us-ascii?Q?aU7YuP0NFNtVjj/H2eIlHzBKfsxqkTFuU4RX5+WSkGkQUmwC937tIotpmY3w?= =?us-ascii?Q?NieEc5wg00S1wTYXwykll4BHzZj8ML17JKb9vIAnn4Htj7iS7AAztzlZxF4n?= =?us-ascii?Q?pUle+MiHCiqGR01Usia8Vb/s/zRj4rRRLVs8F4sVQb1o6eEHWYh+k96Iudno?= =?us-ascii?Q?5hka2GnVGoL2/kBoza+YFtIqiB+UOhKi4g4kFt1G15jkF09L/YqbbFmdA0hU?= =?us-ascii?Q?9bwv0S2HPgFMS5pHbAEG2aCAjlKZ65RjUEViRS/+nSeXzKx9C2z/4ZZSVFEh?= =?us-ascii?Q?OwzGsshLZQEMWI4fXNL87MJQtb9VrrBKCLaK6eNteJLSHZq97DO+RDVIipg2?= =?us-ascii?Q?ZdFZaijsmIXSemZIh25A+hsYdGZ9gdnH8QvBRM3DYKr222HuMVuA4+pQ2dxH?= =?us-ascii?Q?d+ZWNiSlWBg+3/LCgUArcegy/TxjjINADsvK6o2GXv5YulXF0XNGIXUYbGgb?= =?us-ascii?Q?kt6cQjBhogczP/hpRmQCal5fifP7Cz4hFleHmyBYnJBZyesQvZUbLbRfvVOn?= =?us-ascii?Q?Jhrqr67RK3q3DR5A4ONwF5KGHAVH83MdLh5YLk9w/ZrjrdfEOdB4Y2vjWNK+?= =?us-ascii?Q?Vs5iZlA77beF8LRLCyXnIBqQ5g6l4MLJGSMcQ1DbMSQNsrlwA5D4gpaIBoeh?= =?us-ascii?Q?mNzc/EfpQ=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; CY4PR03MB2549; 6:PeNIf33JVmOaq/DUFC54IkX+nY/CqRkyffcOLZVasmfHpojojtzVozczdLONQ6Cmy9wqgR8BpAVn5JqJ6sCGGDVsNYYdifbv4Zvo9IGxXTANLtYGGfzn2Xer9g/larPLAA6qThFOJihaYty/IjLbZ+FUMp4luL5FCJn4MwkoMRY35TsOcZ5AaZyMIc30MoScAPtF1Unj828fCUJErqjPd7fNX9eM4YGFXZs+tkPIEZilLRwcMHtoAVhDwPNUWXBJ1PM+wC/Dw5ZoTYjrqaFerA6lG/tblx9vbWsqRYDRCgWZaDLFVLUI+FcKQK2UJOJmVzivtJNv3jXdIXsCuX2ZaZkD6+r2Ij6ckTqfqq0EBQBZupMiEFZjvOu6qE1AuZttZeUF++v7qsajBJLsM/TRGtLWdDTVD/sh1Gzh51hkDsxKcYu++KjJXkaxd3aDn7ytuswCs9XYVD2DrfKvpf7IGQ==; 5:ob00aBDwnWr1+ii2rNnsVFA+W/nDn4cC6O3Xmhq4r8f1kfCz28uXZJ+rlN+niN+a6ACiTYnimxriTjZCbEEofRbNnAwoHDCHnYyohM9kGh9IYLEh8Y3M6mSm9JJg7Fkk/kmhRJeFHxWRfXgjCb9t93UZnGyyBd+yXwCXTn6lOnM=; 24:quqcfJEktrjXkaRzdqr03nt2X+sFXVZLanJO4UdyxUOjWTm4SuR0Uv5uDyXJxQSXwc/h8neHeCVriwFQIYp94CepebHEO6kJBWaXG5CKhmU= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY4PR03MB2549; 7:cvCset676Szw0eJLUqhw/A2uE0MzRivP0BHhgU71AzUHwuTJlljGsgQdr00kpS79Ja6Hb8ExUtgx2/2myRk/P7SjoehADKO1pnOcB9wOJZp1amXO5/W9txhZmXVVVyBPgRkrjTBmZzbMftXqNAmD02FfV8Gk9nxc68rpUpm8NZOSJxD7LR+TZlryTeZoN8BNJIoxSrvgPQGxH2S6SzupmY3knezkgJWmb2O9OSGkegnucWKN+sakPV1Q6qSsnHRvYxtuPd9Ph0dr2lKv2CCovEKZ/lNZnZPf/N+C3MZjkTqlKuhfAaEazNi5gG61AuFqWgjMlp9jboDAxh8XkjWkjdjsLg1fpSlGrXrE4RI0lSyzJJMfvqi4aDcSP9rngA9umWKBiGsmFl51ckGn7/HwXaPLCh2Ow67zn8fi/jx7js2BudvmG/6Ht17kIYgAXzNo2OL9ZjTls9I5IsqBAtgV6Q== Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk

Message ID

1481061758-52020-9-git-send-email-pshilov@microsoft.com (mailing list archive)

State

New, archived

Headers

From: Pavel Shilovsky <pshilov@microsoft.com>
To: linux-cifs@vger.kernel.org
Subject: [PATCH 08/15] CIFS: Enable encryption during session setup phase
Date: Tue,  6 Dec 2016 14:02:31 -0800
Message-Id: <1481061758-52020-9-git-send-email-pshilov@microsoft.com>
In-Reply-To: <1481061758-52020-1-git-send-email-pshilov@microsoft.com>
References: <1481061758-52020-1-git-send-email-pshilov@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: None (protection.outlook.com: microsoft.com does not designate
	permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Dec 2016 22:02:48.5961
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR03MB2549
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Pavel Shilovskiy Dec. 6, 2016, 10:02 p.m. UTC

In order to allow encryption on SMB connection we need to exchange
a session key and generate encryption and decryption keys.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
---
 fs/cifs/sess.c    | 22 ++++++++++------------
 fs/cifs/smb2pdu.c | 12 ++----------
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index a1118e3..dcbcc92 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -344,13 +344,12 @@  void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
 	/* BB is NTLMV2 session security format easier to use here? */
 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-	if (ses->server->sign) {
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
+		NTLMSSP_NEGOTIATE_SEAL;
+	if (ses->server->sign)
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab ||
-				ses->ntlmssp->sesskey_per_smbsess)
-			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-	}
+	if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
+		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 
 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
 
@@ -407,13 +406,12 @@  int build_ntlmssp_auth_blob(unsigned char **pbuffer,
 	flags = NTLMSSP_NEGOTIATE_56 |
 		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-	if (ses->server->sign) {
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
+		NTLMSSP_NEGOTIATE_SEAL;
+	if (ses->server->sign)
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab ||
-				ses->ntlmssp->sesskey_per_smbsess)
-			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-	}
+	if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
+		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 
 	tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index bf5b693..b088c50 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -756,15 +756,13 @@  SMB2_sess_establish_session(struct SMB2_sess_data *sess_data)
 	struct cifs_ses *ses = sess_data->ses;
 
 	mutex_lock(&ses->server->srv_mutex);
-	if (ses->server->sign && ses->server->ops->generate_signingkey) {
+	if (ses->server->ops->generate_signingkey) {
 		rc = ses->server->ops->generate_signingkey(ses);
-		kfree(ses->auth_key.response);
-		ses->auth_key.response = NULL;
 		if (rc) {
 			cifs_dbg(FYI,
 				"SMB3 session key generation failed\n");
 			mutex_unlock(&ses->server->srv_mutex);
-			goto keygen_exit;
+			return rc;
 		}
 	}
 	if (!ses->server->session_estab) {
@@ -778,12 +776,6 @@  SMB2_sess_establish_session(struct SMB2_sess_data *sess_data)
 	ses->status = CifsGood;
 	ses->need_reconnect = false;
 	spin_unlock(&GlobalMid_Lock);
-
-keygen_exit:
-	if (!ses->server->sign) {
-		kfree(ses->auth_key.response);
-		ses->auth_key.response = NULL;
-	}
 	return rc;
 }

[08/15] CIFS: Enable encryption during session setup phase

Commit Message

Patch