ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this...

[ Upstream commit 37ba7b005a7a4454046bd8659c7a9c5330552396 ]

Currently, SMB2_SESSION_FLAG_ENCRYPT_DATA is always set session setup
response. Since this forces data encryption from the client, there is a
problem that data is always encrypted regardless of the use of the cifs
seal mount option. SMB2_SESSION_FLAG_ENCRYPT_DATA should be set according
to KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION flags, and in case of
KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF, encryption mode is turned off for
all connections.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/smb/server/ksmbd_netlink.h b/fs/smb/server/ksmbd_netlink.h
index ce866ff159bfeed95d59fe930aec14b3a7839481..fb8b2d566efb664802f15e399f3c9d10a54c6d2b 100644 (file)
--- a/fs/smb/server/ksmbd_netlink.h
+++ b/fs/smb/server/ksmbd_netlink.h
@@ -74,6 +74,7 @@ struct ksmbd_heartbeat {
 #define KSMBD_GLOBAL_FLAG_SMB2_LEASES          BIT(0)
 #define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION      BIT(1)
 #define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL    BIT(2)
+#define KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF  BIT(3)
 
 /*
  * IPC request for ksmbd server startup

diff --git a/fs/smb/server/smb2ops.c b/fs/smb/server/smb2ops.c
index ab23da2120b94ff13fb7cfe741173bcbd00255f4..e401302478c360a05c1ac40e750225248ad4a0d5 100644 (file)
--- a/fs/smb/server/smb2ops.c
+++ b/fs/smb/server/smb2ops.c
@@ -247,8 +247,9 @@ void init_smb3_02_server(struct ksmbd_conn *conn)
        if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
                conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
 
-       if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION &&
-           conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)
+       if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
+           (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
+            conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
                conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
 
        if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
@@ -271,6 +272,11 @@ int init_smb3_11_server(struct ksmbd_conn *conn)
        if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
                conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
 
+       if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
+           (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
+            conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
+               conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+
        if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
                conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
 

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 3f4f6b03856552e11a4acd6df75d74ae6af73550..f5a46b6831636bec2ca16fc517fb37702069ed2d 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -935,7 +935,7 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
                return;
        }
 
-       if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION))
+       if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF)
                return;
 
        for (i = 0; i < cph_cnt; i++) {
@@ -1544,7 +1544,8 @@ static int ntlm_authenticate(struct ksmbd_work *work,
                        return -EINVAL;
                }
                sess->enc = true;
-               rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
+               if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)
+                       rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
                /*
                 * signing is disable if encryption is enable
                 * on this session
@@ -1630,7 +1631,8 @@ static int krb5_authenticate(struct ksmbd_work *work,
                        return -EINVAL;
                }
                sess->enc = true;
-               rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
+               if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION)
+                       rsp->SessionFlags = SMB2_SESSION_FLAG_ENCRYPT_DATA_LE;
                sess->sign = false;
        }