From patchwork Thu Aug 1 03:02:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 13749499 Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AAE6A1E868 for ; Thu, 1 Aug 2024 03:02:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722481339; cv=none; b=FfYAn62PjpLAwkcGAltt5Kqd6oNXwTVi3+6xGALg7APWl3u7D0lHHfT8iWpp9fzEQbfmr7rF48bBOiz9bYIWxadwFSEuLRxi60cvpk9Z56iRDVY6UOnWrmIGPAuxTPMXGzqLeqqrYMfDgcb3S2Urokxmsh+KfTt6Ihivj5I75bY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722481339; c=relaxed/simple; bh=O5rXECop1IeduLKINXJAFfTAcxzYyNqv6I5Gq3fYWWc=; h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type; b=FF8xiJUb9B6G4RSpIpA+pxmBaTXqwKUFsU1auxfnY7Ppq4PWFZ/kzLUwnfxMAvpSJcijeKn2HlZ08R6NtM8selwZbJpkBJ7dVir7tKyQXcHMW/bHQbCina44CNAChgUOg+Hi/6Smr+IKYpkjVWqCr3u0VFl00adzOxVoQXRItKw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=D2Tx31MI; arc=none smtp.client-ip=209.85.208.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="D2Tx31MI" Received: by mail-lj1-f171.google.com with SMTP id 38308e7fff4ca-2f035ae1083so81678111fa.3 for ; Wed, 31 Jul 2024 20:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722481335; x=1723086135; darn=vger.kernel.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=MTY6Q3TpA8ApF+vz+JDsK7ooMbh4M7GW0SttpptJxS4=; b=D2Tx31MID3nZWl1FT/9mdekGnWIWgXfzYQQPUPNhed8MWa/MfsvQVKGN6lNx+4AaNO oywJSuZv5RtzLBVdhx+uKGpsSF4Hh00c94voBuC8IYnGe9QV+5mFEY7BgoAeNBzPGM2A iFaEtDlY80Jjt/SgOvxD7X8rki0cwVyrq6T4PhxStV73e85p+1/sq62bQtISnsX5TTPe MNrX8IQrr9R9WmXyJz4WwnE3sV3Sv0naeEUc5rz6iuctrxGIoewvwW8RaA5vWsdheB7N eg0Edw9pTEPjPmsyPJ4hKvtuiESN43zgguJMpQ8to8/2gogkD5YF6DepxfmW3MWSh7dq b42g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722481335; x=1723086135; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=MTY6Q3TpA8ApF+vz+JDsK7ooMbh4M7GW0SttpptJxS4=; b=pbu0VaO5UbkdaKPf/M39i0BJ40EBlXwNydd/TyOgXPqTnpzU06XBb/QB2pgYT08bcj kDds1LN9LyG/fTMHy/ApJT1O1qIJjXS8hkijr9Mlekk8Rq7dcdJpCXJGo3D3fCxFaSmR bb9c2vghiAfPl5FAGgSVKa7D8l/a+2Jy2s+HO0wvQfuyrWPD//70N9EnKHwpoB3DXrA4 A2VzTCPzMfjeaGTYZoU03oKECXU+xHkR9cPdWl+GW9mlpYT0e+OGhIFNKDFmLdMKvqnO I75yi+kEvfG53Z7pJ6diy3qb/JeockqTBVv/JLZat9TqSfbKwr7vvijfCFlA22+qaQ0N aNHQ== X-Gm-Message-State: AOJu0YweOQPMfJ3LzkjAVYe/NpYhb5NSnmEofgWTlRaA17KOLDzH5xQ8 wxOcXFfKBGPA77nH1UAvgZqVzumqqSIa79cvyvP56lyhjYDI0RgFL6ggExJ4LTjnTTg3TQiXq0T swnCxiQIrDansWyJt52DAR0vebDrTKsAQ X-Google-Smtp-Source: AGHT+IEEO40IuvVa08R1vAVYWHLn5LWPs6AGMFzDWJ0PpyLT3UgfmZ3S6yDIw2VLshHVBv7Nox0CcT4wz2L1Z7fLffA= X-Received: by 2002:a2e:8916:0:b0:2ef:32b9:85f6 with SMTP id 38308e7fff4ca-2f1530edfb0mr6233531fa.11.1722481334988; Wed, 31 Jul 2024 20:02:14 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Steve French Date: Wed, 31 Jul 2024 22:02:03 -0500 Message-ID: Subject: [PATCH][SMB3 client] fix setting SecurityFlags when encryption is required To: CIFS Setting encryption as required in cifs.ko's global security flags was broken. For example (to require all mounts to be encrypted by setting): "echo 0x400c5 > /proc/fs/cifs/SecurityFlags" would return "Invalid argument" and log "Unsupported security flags" This patch fixes that (e.g. allowing overriding the default for SecurityFlags 0x00c5, including 0x40000 to require seal, ie SMB3.1.1 encryption) so now that works and forces encryption on subsequent mounts. From 68d3029ef69757a688a078d38328d58208c57785 Mon Sep 17 00:00:00 2001 From: Steve French Date: Wed, 31 Jul 2024 21:38:50 -0500 Subject: [PATCH] smb3: fix setting SecurityFlags when encryption is required Setting encryption as required in security flags was broken. For example (to require all mounts to be encrypted by setting): "echo 0x400c5 > /proc/fs/cifs/SecurityFlags" Would return "Invalid argument" and log "Unsupported security flags" This patch fixes that (e.g. allowing overriding the default for SecurityFlags 0x00c5, including 0x40000 to require seal, ie SMB3.1.1 encryption) so now that works and forces encryption on subsequent mounts. Signed-off-by: Steve French --- Documentation/admin-guide/cifs/usage.rst | 2 +- fs/smb/client/cifs_debug.c | 2 +- fs/smb/client/cifsglob.h | 4 ++-- fs/smb/client/smb2pdu.c | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Documentation/admin-guide/cifs/usage.rst b/Documentation/admin-guide/cifs/usage.rst index fd4b56c0996f..c09674a75a9e 100644 --- a/Documentation/admin-guide/cifs/usage.rst +++ b/Documentation/admin-guide/cifs/usage.rst @@ -742,7 +742,7 @@ SecurityFlags Flags which control security negotiation and may use NTLMSSP 0x00080 must use NTLMSSP 0x80080 seal (packet encryption) 0x00040 - must seal (not implemented yet) 0x40040 + must seal 0x40040 cifsFYI If set to non-zero value, additional debug information will be logged to the system error log. This field diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c index c71ae5c04306..4a20e92474b2 100644 --- a/fs/smb/client/cifs_debug.c +++ b/fs/smb/client/cifs_debug.c @@ -1072,7 +1072,7 @@ static int cifs_security_flags_proc_open(struct inode *inode, struct file *file) static void cifs_security_flags_handle_must_flags(unsigned int *flags) { - unsigned int signflags = *flags & CIFSSEC_MUST_SIGN; + unsigned int signflags = *flags & (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL); if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5) *flags = CIFSSEC_MUST_KRB5; diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index f6d1f075987f..befd84f9df30 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -1891,9 +1891,9 @@ require use of the stronger protocol */ #define CIFSSEC_MUST_NTLMV2 0x04004 #define CIFSSEC_MUST_KRB5 0x08008 #ifdef CONFIG_CIFS_UPCALL -#define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */ +#define CIFSSEC_MASK 0xCF0CF /* flags supported if no weak allowed */ #else -#define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */ +#define CIFSSEC_MASK 0xC70C7 /* flags supported if no weak allowed */ #endif /* UPCALL */ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 9a06b5594669..83facb54276a 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -82,6 +82,9 @@ int smb3_encryption_required(const struct cifs_tcon *tcon) if (tcon->seal && (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) return 1; + if (((global_secflags & CIFSSEC_MUST_SEAL) == CIFSSEC_MUST_SEAL) && + (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) + return 1; return 0; } -- 2.43.0