1. 19 5月, 2011 6 次提交
    • J
      cifs: keep BCC in little-endian format · 820a803f
      Jeff Layton 提交于
      This is the same patch as originally posted, just with some merge
      conflicts fixed up...
      
      Currently, the ByteCount is usually converted to host-endian on receive.
      This is confusing however, as we need to keep two sets of routines for
      accessing it, and keep track of when to use each routine. Munging
      received packets like this also limits when the signature can be
      calulated.
      
      Simplify the code by keeping the received ByteCount in little-endian
      format. This allows us to eliminate a set of routines for accessing it
      and we can now drop the *_le suffixes from the accessor functions since
      that's now implied.
      
      While we're at it, switch all of the places that read the ByteCount
      directly to use the get_bcc inline which should also clean up some
      unaligned accesses.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      820a803f
    • S
      cifs: Add idmap key and related data structures and functions (try #17 repost) · 4d79dba0
      Shirish Pargaonkar 提交于
      Define (global) data structures to store ids, uids and gids, to which a
      SID maps.  There are two separate trees, one for SID/uid and another one
      for SID/gid.
      
      A new type of key, cifs_idmap_key_type, is used.
      
      Keys are instantiated and searched using credential of the root by
      overriding and restoring the credentials of the caller requesting the key.
      
      Id mapping functions are invoked under config option of cifs acl.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      4d79dba0
    • S
      [CIFS] Allow to set extended attribute cifs_acl (try #2) · b73b9a4b
      Steve French 提交于
      Allow setting cifs_acl on the server.
      Pass on to the server the ACL blob generated by an application.
      cifs is just a pass-through, it does not monitor or inspect the contents
      of the blob, server decides whether to enforce/apply the ACL blob composed
      by an application.
      If setting of ACL is succeessful, mark the inode for revalidation.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Acked-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      b73b9a4b
    • S
      [CIFS] Use ecb des kernel crypto APIs instead of · 43988d76
      Steve French 提交于
       local cifs functions (repost)
      
      Using kernel crypto APIs for DES encryption during LM and NT hash generation
      instead of local functions within cifs.
      Source file smbdes.c is deleted sans four functions, one of which
      uses ecb des functionality provided by kernel crypto APIs.
      
      Remove function SMBOWFencrypt.
      
      Add return codes to various functions such as calc_lanman_hash,
      SMBencrypt, and SMBNTencrypt.  Includes fix noticed by Dan Carpenter.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      CC: Dan Carpenter <error27@gmail.com>
      Acked-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      43988d76
    • S
      Don't compile in unused reparse point symlink code · c52a9554
      Steve French 提交于
      Recent Windows versions now create symlinks more frequently
      and they do use this "reparse point" symlink mechanism.  We can of course
      do symlinks nicely to Samba and other servers which support the
      CIFS Unix Extensions and we can also do SFU symlinks and "client only"
      "MF" symlinks optionally, but for recent Windows we currently can not
      handle the common "reparse point" symlinks fully, removing the caller
      for this. We will need to extend and reenable this "reparse point" worker
      code in cifs and fix cifs_symlink to call this.  In the interim this code
      has been moved to its own config option so it is not compiled in by default
      until cifs_symlink fixed up (and tested) to use this.
      
      CC: Jeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      c52a9554
    • S
      Remove unused CIFSSMBNotify worker function · 0eff0e26
      Steve French 提交于
      The CIFSSMBNotify worker is unused, pending changes to allow it to be called
      via inotify, so move it into its own experimental config option so it does
      not get built in, until the necessary VFS support is fixed.  It used to
      be used in dnotify, but according to Jeff, inotify needs minor changes
      before we can reenable this.
      
      CC: Jeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      0eff0e26
  2. 28 1月, 2011 1 次提交
  3. 26 1月, 2011 1 次提交
  4. 21 1月, 2011 2 次提交
  5. 20 1月, 2011 1 次提交
    • P
      CIFS: Fix oplock break handling (try #2) · 12fed00d
      Pavel Shilovsky 提交于
      When we get oplock break notification we should set the appropriate
      value of OplockLevel field in oplock break acknowledge according to
      the oplock level held by the client in this time. As we only can have
      level II oplock or no oplock in the case of oplock break, we should be
      aware only about clientCanCacheRead field in cifsInodeInfo structure.
      
      Also fix bug connected with wrong interpretation of OplockLevel field
      during oplock break notification processing.
      Signed-off-by: NPavel Shilovsky <piastryyy@gmail.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      12fed00d
  6. 08 12月, 2010 1 次提交
  7. 07 12月, 2010 1 次提交
  8. 30 11月, 2010 2 次提交
  9. 11 11月, 2010 1 次提交
  10. 06 11月, 2010 1 次提交
  11. 03 11月, 2010 1 次提交
  12. 27 10月, 2010 3 次提交
    • S
      NTLM auth and sign - Use kernel crypto apis to calculate hashes and smb signatures · 307fbd31
      Shirish Pargaonkar 提交于
      Use kernel crypto sync hash apis insetead of cifs crypto functions.
      The calls typically corrospond one to one except that insead of
      key init, setkey is used.
      
      Use crypto apis to generate smb signagtures also.
      Use hmac-md5 to genereate ntlmv2 hash, ntlmv2 response, and HMAC (CR1 of
      ntlmv2 auth blob.
      User crypto apis to genereate signature and to verify signature.
      md5 hash is used to calculate signature.
      Use secondary key to calculate signature in case of ntlmssp.
      
      For ntlmv2 within ntlmssp, during signature calculation, only 16 bytes key
      (a nonce) stored within session key is used. during smb signature calculation.
      For ntlm and ntlmv2 without extended security, 16 bytes key
      as well as entire response (24 bytes in case of ntlm and variable length
      in case of ntlmv2) is used for smb signature calculation.
      For kerberos, there is no distinction between key and response.
      Acked-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      307fbd31
    • S
      NTLM auth and sign - Define crypto hash functions and create and send keys needed for key exchange · d2b91521
      Shirish Pargaonkar 提交于
      Mark dependency on crypto modules in Kconfig.
      
      Defining per structures sdesc and cifs_secmech which are used to store
      crypto hash functions and contexts.  They are stored per smb connection
      and used for all auth mechs to genereate hash values and signatures.
      
      Allocate crypto hashing functions, security descriptiors, and respective
      contexts when a smb/tcp connection is established.
      Release them when a tcp/smb connection is taken down.
      
      md5 and hmac-md5 are two crypto hashing functions that are used
      throught the life of an smb/tcp connection by various functions that
      calcualte signagure and ntlmv2 hash, HMAC etc.
      
      structure ntlmssp_auth is defined as per smb connection.
      
      ntlmssp_auth holds ciphertext which is genereated by rc4/arc4 encryption of
      secondary key, a nonce using ntlmv2 session key and sent in the session key
      field of the type 3 message sent by the client during ntlmssp
      negotiation/exchange
      
      A key is exchanged with the server if client indicates so in flags in
      type 1 messsage and server agrees in flag in type 2 message of ntlmssp
      negotiation.  If both client and agree, a key sent by client in
      type 3 message of ntlmssp negotiation in the session key field.
      The key is a ciphertext generated off of secondary key, a nonce, using
      ntlmv2 hash via rc4/arc4.
      
      Signing works for ntlmssp in this patch. The sequence number within
      the server structure needs to be zero until session is established
      i.e. till type 3 packet of ntlmssp exchange of a to be very first
      smb session on that smb connection is sent.
      Acked-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      d2b91521
    • S
      NTLM auth and sign - Allocate session key/client response dynamically · 21e73393
      Shirish Pargaonkar 提交于
      Start calculating auth response within a session.  Move/Add pertinet
      data structures like session key, server challenge and ntlmv2_hash in
      a session structure.  We should do the calculations within a session
      before copying session key and response over to server data
      structures because a session setup can fail.
      
      Only after a very first smb session succeeds, it copy/make its
      session key, session key of smb connection.  This key stays with
      the smb connection throughout its life.
      sequence_number within server is set to 0x2.
      
      The authentication Message Authentication Key (mak) which consists
      of session key followed by client response within structure session_key
      is now dynamic.  Every authentication type allocates the key + response
      sized memory within its session structure and later either assigns or
      frees it once the client response is sent and if session's session key
      becomes connetion's session key.
      
      ntlm/ntlmi authentication functions are rearranged.  A function
      named setup_ntlm_resp(), similar to setup_ntlmv2_resp(), replaces
      function cifs_calculate_session_key().
      
      size of CIFS_SESS_KEY_SIZE is changed to 16, to reflect the byte size
      of the key it holds.
      Reviewed-by: NJeff Layton <jlayton@samba.org>
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      21e73393
  13. 18 10月, 2010 4 次提交
  14. 13 10月, 2010 1 次提交
    • J
      cifs: don't use vfsmount to pin superblock for oplock breaks · d7c86ff8
      Jeff Layton 提交于
      Filesystems aren't really supposed to do anything with a vfsmount. It's
      considered a layering violation since vfsmounts are entirely managed at
      the VFS layer.
      
      CIFS currently keeps an active reference to a vfsmount in order to
      prevent the superblock vanishing before an oplock break has completed.
      What we really want to do instead is to keep sb->s_active high until the
      oplock break has completed. This patch borrows the scheme that NFS uses
      for handling sillyrenames.
      
      An atomic_t is added to the cifs_sb_info. When it transitions from 0 to
      1, an extra reference to the superblock is taken (by bumping the
      s_active value). When it transitions from 1 to 0, that reference is
      dropped and a the superblock teardown may proceed if there are no more
      references to it.
      
      Also, the vfsmount pointer is removed from cifsFileInfo and from
      cifs_new_fileinfo, and some bogus forward declarations are removed from
      cifsfs.h.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Reviewed-by: NSuresh Jayaraman <sjayaraman@suse.de>
      Acked-by: NDave Kleikamp <shaggy@linux.vnet.ibm.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      d7c86ff8
  15. 07 10月, 2010 2 次提交
  16. 30 9月, 2010 5 次提交
    • J
      cifs: have cifs_new_fileinfo take a tcon arg · f7a40689
      Jeff Layton 提交于
      To minimize calls to cifs_sb_tcon and to allow for a clear error path if
      a tcon can't be acquired.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      f7a40689
    • S
    • S
      cifs NTLMv2/NTLMSSP ntlmv2 within ntlmssp autentication code · 2b149f11
      Shirish Pargaonkar 提交于
      Attribue Value (AV) pairs or Target Info (TI) pairs are part of
      ntlmv2 authentication.
      Structure ntlmv2_resp had only definition for two av pairs.
      So removed it, and now allocation of av pairs is dynamic.
      For servers like Windows 7/2008, av pairs sent by server in
      challege packet (type 2 in the ntlmssp exchange/negotiation) can
      vary.
      
      Server sends them during ntlmssp negotiation. So when ntlmssp is used
      as an authentication mechanism, type 2 challenge packet from server
      has this information.  Pluck it and use the entire blob for
      authenticaiton purpose.  If user has not specified, extract
      (netbios) domain name from the av pairs which is used to calculate
      ntlmv2 hash.  Servers like Windows 7 are particular about the AV pair
      blob.
      
      Servers like Windows 2003, are not very strict about the contents
      of av pair blob used during ntlmv2 authentication.
      So when security mechanism such as ntlmv2 is used (not ntlmv2 in ntlmssp),
      there is no negotiation and so genereate a minimal blob that gets
      used in ntlmv2 authentication as well as gets sent.
      
      Fields tilen and tilbob are session specific.  AV pair values are defined.
      
      To calculate ntlmv2 response we need ti/av pair blob.
      
      For sec mech like ntlmssp, the blob is plucked from type 2 response from
      the server.  From this blob, netbios name of the domain is retrieved,
      if user has not already provided, to be included in the Target String
      as part of ntlmv2 hash calculations.
      
      For sec mech like ntlmv2, create a minimal, two av pair blob.
      
      The allocated blob is freed in case of error.  In case there is no error,
      this blob is used in calculating ntlmv2 response (in CalcNTLMv2_response)
      and is also copied on the response to the server, and then freed.
      
      The type 3 ntlmssp response is prepared on a buffer,
      5 * sizeof of struct _AUTHENTICATE_MESSAGE, an empirical value large
      enough to hold _AUTHENTICATE_MESSAGE plus a blob with max possible
      10 values as part of ntlmv2 response and lmv2 keys and domain, user,
      workstation  names etc.
      
      Also, kerberos gets selected as a default mechanism if server supports it,
      over the other security mechanisms.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      2b149f11
    • S
      cifs NTLMv2/NTLMSSP Change variable name mac_key to session key to reflect the key it holds · 5f98ca9a
      Shirish Pargaonkar 提交于
      Change name of variable mac_key to session key.
      The reason mac_key was changed to session key is, this structure does not
      hold message authentication code, it holds the session key (for ntlmv2,
      ntlmv1 etc.).  mac is generated as a signature in cifs_calc* functions.
      Signed-off-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      5f98ca9a
    • S
      cifs: fix broken oplock handling · aa91c7e4
      Suresh Jayaraman 提交于
      cifs_new_fileinfo() does not use the 'oplock' value from the callers. Instead,
      it sets it to REQ_OPLOCK which seems wrong. We should be using the oplock value
      obtained from the Server to set the inode's clientCanCacheAll or
      clientCanCacheRead flags. Fix this by passing oplock from the callers to
      cifs_new_fileinfo().
      
      This change dates back to commit a6ce4932 (2.6.30-rc3). So, all the affected
      versions will need this fix. Please Cc stable once reviewed and accepted.
      
      Cc: Stable <stable@kernel.org>
      Reviewed-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSuresh Jayaraman <sjayaraman@suse.de>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      aa91c7e4
  17. 09 9月, 2010 3 次提交
  18. 21 8月, 2010 1 次提交
  19. 06 8月, 2010 1 次提交
  20. 02 8月, 2010 1 次提交
    • J
      cifs: set the port in sockaddr in a more clearly defined fashion · 50d97160
      Jeff Layton 提交于
      This patch should replace the patch I sent a couple of weeks ago to
      set the port in cifs_convert_address.
      
      Currently we set this in cifs_find_tcp_session, but that's more of a
      side effect than anything. Add a new function called cifs_fill_sockaddr.
      Have it call cifs_convert_address and then set the port.
      
      This also allows us to skip passing in the port as a separate parm to
      cifs_find_tcp_session.
      
      Also, change cifs_convert_address take a struct sockaddr * rather than
      void * to make it clearer how this function should be called.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      50d97160
  21. 17 6月, 2010 1 次提交
    • J
      cifs: move cifs_new_fileinfo call out of cifs_posix_open · 2422f676
      Jeff Layton 提交于
      Having cifs_posix_open call cifs_new_fileinfo is problematic and
      inconsistent with how "regular" opens work. It's also buggy as
      cifs_reopen_file calls this function on a reconnect, which creates a new
      struct cifsFileInfo that just gets leaked.
      
      Push it out into the callers. This also allows us to get rid of the
      "mnt" arg to cifs_posix_open.
      
      Finally, in the event that a cifsFileInfo isn't or can't be created, we
      always want to close the filehandle out on the server as the client
      won't have a record of the filehandle and can't actually use it. Make
      sure that CIFSSMBClose is called in those cases.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Reviewed-and-Tested-by: NSuresh Jayaraman <sjayaraman@suse.de>
      2422f676