Jeff, I reviewed and merged (into for-next of cifs-2.6.git) more from this series (patches 9 through 15, taking the version from the cifs-3.11 branch of your git tree on samba.org). Made trivial change to patch 15 (fixed a comment which caused a line over 80 columns). Will continue reviewing Hopefully Shirish can rebase his SMB3 signing work on top of this. On Tue, May 28, 2013 at 7:11 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > This is the second version of this patchset. The changes from the last > set are relatively minor: > > - the LANMAN NEGOTIATE handling doesn't call cifs_enable_signing itself > anymore. It now just returns back to CIFSSMBNegotiate which does it. > This addresses Pavel's concern about calling "goto neg_err_exit" when > there wasn't actually an error. > > - the handling of signing code has been restructured a bit. The code > now simply uses the ses->sectype and ses->sign fields to determine > whether a particular sectype or signing mode was requested in the > mount options. The actual determination about whether to use signing > is made later. > > Other than that, the patchset is essentially the same. Even though I've > made some changes, I've left Pavel's Acked-by and Reviewed-by lines in > place since they were pretty minor. Pavel, let me know if you want to > rescind any of them. > > I'd still like to see this go in for 3.11. Original cover letter follows: > > --------------------[snip]------------------ > > When the change to make cifs default to NTLMSSP auth was made recently, > it broke a number of working setups. If the server doesn't support > extended security, then there is no way to recover. This is mostly due > to the fact that CIFS handles the selection of the authentication to use > badly. It makes that decision before ever talking to the server. If it > guesses wrong, then there is no recourse. > > At SambaXP this year, I also spoke with Simo Sorce about making cifs.ko > talk directly to the new gssproxy daemon to handle GSSAPI auth. I think > that would be a good thing to do. Doing that would allow us to get out > of the ASN.1 parsing business for the most part, and allow cifs to > support things like NegoEx. We can't reasonably support that though with > the code as rickety as it is today. > > This patchset represents an overhaul of how cifs.ko selects the type of > authentication to use with the server. The idea here is to defer that > decision until SESSION_SETUP time, so that we can make an intelligent > decision about it based on the results of the NEGOTIATE. > > The first several patches in the series represent some cleanup of dead > and broken code and struct fields that are unused. Next, chunks of > CIFSSMBNegotiate are factored out into helper functions. Next, we change > how the auth selection is done, and do that using securityEnum values > and a flag for signing, rather than trying to pass around variants of > SecurityFlags. > > Lastly, there are a couple of patches that try to bring some sanity to > the SecurityFlags interface. > > I'd like to see this merged for 3.11, so getting it into linux-next soon > would be good. Once this is merged, we can start looking at how best to > integrate gssproxy with cifs.ko as well. > > Comments and suggestions welcome... > > Jeff Layton (19): > cifs: remove protocolEnum definition > cifs: remove useless memset in LANMAN auth code > cifs: make decode_ascii_ssetup void return > cifs: throw a warning if negotiate or sess_setup ops are passed NULL > server or session pointers > cifs: remove the cifs_ses->flags field > cifs: remove "seal" stubs > cifs: break out decoding of security blob into separate function > cifs: break out lanman NEGOTIATE handling into separate function > cifs: move handling of signed connections into separate function > cifs: factor out check for extended security bit into separate > function > cifs: add new "Unspecified" securityEnum value > cifs: track the flavor of the NEGOTIATE reponse > cifs: add new fields to smb_vol to track the requested security flavor > cifs: add new fields to cifs_ses to track requested security flavor > cifs: track the enablement of signing in the TCP_Server_Info > cifs: move sectype to the cifs_ses instead of TCP_Server_Info > cifs: update the default global_secflags to include "raw" NTLMv2 > cifs: clean up the SecurityFlags write handler > cifs: try to handle the MUST SecurityFlags sanely > > fs/cifs/cifs_debug.c | 48 +++++- > fs/cifs/cifsencrypt.c | 5 +- > fs/cifs/cifsfs.c | 13 +- > fs/cifs/cifsglob.h | 35 ++-- > fs/cifs/cifspdu.h | 4 +- > fs/cifs/cifsproto.h | 3 + > fs/cifs/cifssmb.c | 423 +++++++++++++++++++++++------------------------- > fs/cifs/connect.c | 155 +++++++----------- > fs/cifs/misc.c | 3 +- > fs/cifs/sess.c | 95 ++++++++--- > fs/cifs/smb1ops.c | 21 +-- > fs/cifs/smb2pdu.c | 114 ++++--------- > fs/cifs/smb2transport.c | 3 +- > fs/cifs/transport.c | 4 +- > 14 files changed, 443 insertions(+), 483 deletions(-) > > -- > 1.8.1.4 > -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
