Commit 37ba7b00 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share 



Currently, SMB2_SESSION_FLAG_ENCRYPT_DATA is always set session setup
response. Since this forces data encryption from the client, there is a
problem that data is always encrypted regardless of the use of the cifs
seal mount option. SMB2_SESSION_FLAG_ENCRYPT_DATA should be set according
to KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION flags, and in case of
KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF, encryption mode is turned off for
all connections.

Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 76dcd734

fs/ksmbd/ksmbd_netlink.h

+1 −0
Original line number Diff line number Diff line
@@ -74,6 +74,7 @@ struct ksmbd_heartbeat { 
#define KSMBD_GLOBAL_FLAG_SMB2_LEASES		BIT(0)

#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION	BIT(1)

#define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL	BIT(2)

#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF	BIT(3)



/*

 * IPC request for ksmbd server startup

fs/ksmbd/smb2ops.c

+8 −2
Original line number Diff line number Diff line
@@ -247,8 +247,9 @@ void init_smb3_02_server(struct ksmbd_conn *conn) 
	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)

		conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;



	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION &&

	    conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)

	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||

	    (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&

	     conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))

		conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;



	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
@@ -271,6 +272,11 @@ int init_smb3_11_server(struct ksmbd_conn *conn) 
	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)

		conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;



	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||

	    (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&

	     conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))

		conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;



	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)

		conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;

fs/ksmbd/smb2pdu.c

+5 −3
Original line number Diff line number Diff line
@@ -903,7 +903,7 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn, 
		return;

	}



	if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION))

	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF)

		return;



	for (i = 0; i < cph_cnt; i++) {
@@ -1508,6 +1508,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) 
			return -EINVAL;

		}

		sess->enc = true;

		if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)

			rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;

		/*

		 * signing is disable if encryption is enable
@@ -1599,6 +1600,7 @@ static int krb5_authenticate(struct ksmbd_work *work) 
			return -EINVAL;

		}

		sess->enc = true;

		if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)

			rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;

		sess->sign = false;

	}