cifs: remove support for NTLM and weaker authentication algorithms

	select CRYPTO_GCM

	select CRYPTO_ECB

	select CRYPTO_AES

	select CRYPTO_LIB_DES

	select KEYS

	select DNS_RESOLVER

	select ASN1

	  If unsure, say Y.

config CIFS_WEAK_PW_HASH

	bool "Support legacy servers which use weaker LANMAN security"

	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY

	help

	  Modern CIFS servers including Samba and most Windows versions

	  (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)

	  security mechanisms. These hash the password more securely

	  than the mechanisms used in the older LANMAN version of the

	  SMB protocol but LANMAN based authentication is needed to

	  establish sessions with some old SMB servers.

	  Enabling this option allows the cifs module to mount to older

	  LANMAN based servers such as OS/2 and Windows 95, but such

	  mounts may be less secure than mounts using NTLM or more recent

	  security mechanisms if you are on a public network.  Unless you

	  have a need to access old SMB servers (and are on a private

	  network) you probably want to say N.  Even if this support

	  is enabled in the kernel build, LANMAN authentication will not be

	  used automatically. At runtime LANMAN mounts are disabled but

	  can be set to required (or optional) either in

	  /proc/fs/cifs (see Documentation/admin-guide/cifs/usage.rst for

	  more detail) or via an option on the mount command. This support

	  is disabled by default in order to reduce the possibility of a

	  downgrade attack.

	  If unsure, say N.

config CIFS_UPCALL

	bool "Kerberos/SPNEGO advanced session setup"

	depends on CIFS

#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY

	seq_printf(m, ",ALLOW_INSECURE_LEGACY");

#endif

#ifdef CONFIG_CIFS_WEAK_PW_HASH

	seq_printf(m, ",WEAK_PW_HASH");

#endif

#ifdef CONFIG_CIFS_POSIX

	seq_printf(m, ",CIFS_POSIX");

#endif

		*flags = CIFSSEC_MUST_NTLMSSP;

	else if ((*flags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2)

		*flags = CIFSSEC_MUST_NTLMV2;

	else if ((*flags & CIFSSEC_MUST_NTLM) == CIFSSEC_MUST_NTLM)

		*flags = CIFSSEC_MUST_NTLM;

	else if (CIFSSEC_MUST_LANMAN &&

		 (*flags & CIFSSEC_MUST_LANMAN) == CIFSSEC_MUST_LANMAN)

		*flags = CIFSSEC_MUST_LANMAN;

	else if (CIFSSEC_MUST_PLNTXT &&

		 (*flags & CIFSSEC_MUST_PLNTXT) == CIFSSEC_MUST_PLNTXT)

		*flags = CIFSSEC_MUST_PLNTXT;

	*flags |= signflags;

}

			goto nlmsg_fail;

		}

		break;

	case LANMAN:

	case NTLM:

	case NTLMv2:

	case RawNTLMSSP:

		ret = cifs_swn_auth_info_ntlm(swnreg->tcon, skb);

}

/* first calculate 24 bytes ntlm response and then 16 byte session key */

int setup_ntlm_response(struct cifs_ses *ses, const struct nls_table *nls_cp)

{

	int rc = 0;

	unsigned int temp_len = CIFS_SESS_KEY_SIZE + CIFS_AUTH_RESP_SIZE;

	char temp_key[CIFS_SESS_KEY_SIZE];

	if (!ses)

		return -EINVAL;

	ses->auth_key.response = kmalloc(temp_len, GFP_KERNEL);

	if (!ses->auth_key.response)

		return -ENOMEM;

	ses->auth_key.len = temp_len;

	rc = SMBNTencrypt(ses->password, ses->server->cryptkey,

			ses->auth_key.response + CIFS_SESS_KEY_SIZE, nls_cp);

	if (rc) {

		cifs_dbg(FYI, "%s Can't generate NTLM response, error: %d\n",

			 __func__, rc);

		return rc;

	}

	rc = E_md4hash(ses->password, temp_key, nls_cp);

	if (rc) {

		cifs_dbg(FYI, "%s Can't generate NT hash, error: %d\n",

			 __func__, rc);

		return rc;

	}

	rc = mdfour(ses->auth_key.response, temp_key, CIFS_SESS_KEY_SIZE);

	if (rc)

		cifs_dbg(FYI, "%s Can't generate NTLM session key, error: %d\n",

			 __func__, rc);

	return rc;

}

#ifdef CONFIG_CIFS_WEAK_PW_HASH

int calc_lanman_hash(const char *password, const char *cryptkey, bool encrypt,

			char *lnm_session_key)

{

	int i, len;

	int rc;

	char password_with_pad[CIFS_ENCPWD_SIZE] = {0};

	if (password) {

		for (len = 0; len < CIFS_ENCPWD_SIZE; len++)

			if (!password[len])

				break;

		memcpy(password_with_pad, password, len);

	}

	if (!encrypt && global_secflags & CIFSSEC_MAY_PLNTXT) {

		memcpy(lnm_session_key, password_with_pad,

			CIFS_ENCPWD_SIZE);

		return 0;

	}

	/* calculate old style session key */

	/* calling toupper is less broken than repeatedly

	calling nls_toupper would be since that will never

	work for UTF8, but neither handles multibyte code pages

	but the only alternative would be converting to UCS-16 (Unicode)

	(using a routine something like UniStrupr) then

	uppercasing and then converting back from Unicode - which

	would only worth doing it if we knew it were utf8. Basically

	utf8 and other multibyte codepages each need their own strupper

	function since a byte at a time will ont work. */

	for (i = 0; i < CIFS_ENCPWD_SIZE; i++)

		password_with_pad[i] = toupper(password_with_pad[i]);

	rc = SMBencrypt(password_with_pad, cryptkey, lnm_session_key);

	return rc;

}

#endif /* CIFS_WEAK_PW_HASH */

/* Build a proper attribute value/target info pairs blob.

 * Fill in netbios and dns domain name and workstation name

 * and client time (total five av pairs and + one end of fields indicator.

	seq_puts(s, ",sec=");

	switch (ses->sectype) {

	case LANMAN:

		seq_puts(s, "lanman");

		break;

	case NTLMv2:

		seq_puts(s, "ntlmv2");

		break;

	case NTLM:

		seq_puts(s, "ntlm");

		break;

	case Kerberos:

		seq_puts(s, "krb5");

		break;