mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-09 14:43:16 +00:00
ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share
[ Upstream commit 37ba7b005a7a4454046bd8659c7a9c5330552396 ] Currently, SMB2_SESSION_FLAG_ENCRYPT_DATA is always set session setup response. Since this forces data encryption from the client, there is a problem that data is always encrypted regardless of the use of the cifs seal mount option. SMB2_SESSION_FLAG_ENCRYPT_DATA should be set according to KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION flags, and in case of KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF, encryption mode is turned off for all connections. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
ab69d3e8f7
commit
343d667dee
@ -74,6 +74,7 @@ struct ksmbd_heartbeat {
|
||||
#define KSMBD_GLOBAL_FLAG_SMB2_LEASES BIT(0)
|
||||
#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION BIT(1)
|
||||
#define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL BIT(2)
|
||||
#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF BIT(3)
|
||||
|
||||
/*
|
||||
* IPC request for ksmbd server startup
|
||||
|
@ -247,8 +247,9 @@ void init_smb3_02_server(struct ksmbd_conn *conn)
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
|
||||
conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
|
||||
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION &&
|
||||
conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
|
||||
(!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
|
||||
conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
|
||||
conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
|
||||
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
|
||||
@ -271,6 +272,11 @@ int init_smb3_11_server(struct ksmbd_conn *conn)
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
|
||||
conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
|
||||
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
|
||||
(!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
|
||||
conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
|
||||
conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
|
||||
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
|
||||
conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
|
||||
|
||||
|
@ -935,7 +935,7 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
|
||||
return;
|
||||
}
|
||||
|
||||
if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION))
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF)
|
||||
return;
|
||||
|
||||
for (i = 0; i < cph_cnt; i++) {
|
||||
@ -1544,7 +1544,8 @@ static int ntlm_authenticate(struct ksmbd_work *work,
|
||||
return -EINVAL;
|
||||
}
|
||||
sess->enc = true;
|
||||
rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)
|
||||
rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
|
||||
/*
|
||||
* signing is disable if encryption is enable
|
||||
* on this session
|
||||
@ -1630,7 +1631,8 @@ static int krb5_authenticate(struct ksmbd_work *work,
|
||||
return -EINVAL;
|
||||
}
|
||||
sess->enc = true;
|
||||
rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
|
||||
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)
|
||||
rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
|
||||
sess->sign = false;
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user