cifs: match secType when searching for existing tcp session

The secType is a per-tcp session entity, but the current routine doesn't
verify that it is acceptible when attempting to match an existing TCP
session.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 06b48998db944e74d68eb0a74f68073dfd220635..8fb1d10b8742bdf976bc5f9b7ad325ccfa33d4e7 100644 (file)
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -83,8 +83,7 @@ enum statusEnum {
 };
 
 enum securityEnum {
-       PLAINTXT = 0,           /* Legacy with Plaintext passwords */
-       LANMAN,                 /* Legacy LANMAN auth */
+       LANMAN = 0,                     /* Legacy LANMAN auth */
        NTLM,                   /* Legacy NTLM012 auth with NTLM hash */
        NTLMv2,                 /* Legacy NTLM auth with NTLMv2 hash */
        RawNTLMSSP,             /* NTLMSSP without SPNEGO, NTLMv2 hash */

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 65e760b9428f8139444a253e1e6277c5f91dfac5..b24e4cea4e3c808288d3332a09e53efa18645f9f 100644 (file)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1412,8 +1412,56 @@ match_address(struct TCP_Server_Info *server, struct sockaddr *addr)
        return true;
 }
 
+static bool
+match_security(struct TCP_Server_Info *server, struct smb_vol *vol)
+{
+       unsigned int secFlags;
+
+       if (vol->secFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
+               secFlags = vol->secFlg;
+       else
+               secFlags = global_secflags | vol->secFlg;
+
+       switch (server->secType) {
+       case LANMAN:
+               if (!(secFlags & (CIFSSEC_MAY_LANMAN|CIFSSEC_MAY_PLNTXT)))
+                       return false;
+               break;
+       case NTLMv2:
+               if (!(secFlags & CIFSSEC_MAY_NTLMV2))
+                       return false;
+               break;
+       case NTLM:
+               if (!(secFlags & CIFSSEC_MAY_NTLM))
+                       return false;
+               break;
+       case Kerberos:
+               if (!(secFlags & CIFSSEC_MAY_KRB5))
+                       return false;
+               break;
+       case RawNTLMSSP:
+               if (!(secFlags & CIFSSEC_MAY_NTLMSSP))
+                       return false;
+               break;
+       default:
+               /* shouldn't happen */
+               return false;
+       }
+
+       /* now check if signing mode is acceptible */
+       if ((secFlags & CIFSSEC_MAY_SIGN) == 0 &&
+           (server->secMode & SECMODE_SIGN_REQUIRED))
+                       return false;
+       else if (((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) &&
+                (server->secMode &
+                 (SECMODE_SIGN_ENABLED|SECMODE_SIGN_REQUIRED)) == 0)
+                       return false;
+
+       return true;
+}
+
 static struct TCP_Server_Info *
-cifs_find_tcp_session(struct sockaddr *addr)
+cifs_find_tcp_session(struct sockaddr *addr, struct smb_vol *vol)
 {
        struct TCP_Server_Info *server;
 
@@ -1431,6 +1479,9 @@ cifs_find_tcp_session(struct sockaddr *addr)
                if (!match_address(server, addr))
                        continue;
 
+               if (!match_security(server, vol))
+                       continue;
+
                ++server->srv_count;
                write_unlock(&cifs_tcp_ses_lock);
                cFYI(1, "Existing tcp session with server found");
@@ -1501,7 +1552,7 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
        }
 
        /* see if we already have a matching tcp_ses */
-       tcp_ses = cifs_find_tcp_session((struct sockaddr *)&addr);
+       tcp_ses = cifs_find_tcp_session((struct sockaddr *)&addr, volume_info);
        if (tcp_ses)
                return tcp_ses;