From bfbd7e95b6b531d159c0e9615e04f8320ff21487 Mon Sep 17 00:00:00 2001 From: Steve French Date: Tue, 19 Jun 2018 14:34:08 -0500 Subject: [PATCH] cifs: allow disabling insecure dialects in the config commit 7420451f6a109f7f8f1bf283f34d08eba3259fb3 upstream. allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the config for the build of cifs.ko if want to always prevent mounting with these less secure dialects. Signed-off-by: Steve French Reviewed-by: Aurelien Aptel Reviewed-by: Jeremy Allison Cc: Alakesh Haloi Signed-off-by: Greg Kroah-Hartman --- fs/cifs/Kconfig | 17 ++++++++++++++++- fs/cifs/connect.c | 9 +++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig index 7b95e79..a78c4133 100644 --- a/fs/cifs/Kconfig +++ b/fs/cifs/Kconfig @@ -66,9 +66,24 @@ config CIFS_STATS2 Unless you are a developer or are doing network performance analysis or tuning, say N. +config CIFS_ALLOW_INSECURE_LEGACY + bool "Support legacy servers which use less secure dialects" + depends on CIFS + default y + help + Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have + additional security features, including protection against + man-in-the-middle attacks and stronger crypto hashes, so the use + of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged. + + Disabling this option prevents users from using vers=1.0 or vers=2.0 + on mounts with cifs.ko + + If unsure, say Y. + config CIFS_WEAK_PW_HASH bool "Support legacy servers which use weaker LANMAN security" - depends on CIFS + depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY help Modern CIFS servers including Samba and most Windows versions (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index fd24c72..d624813 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -1130,6 +1130,7 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol) substring_t args[MAX_OPT_ARGS]; switch (match_token(value, cifs_smb_version_tokens, args)) { +#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY case Smb_1: vol->ops = &smb1_operations; vol->vals = &smb1_values; @@ -1138,6 +1139,14 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol) vol->ops = &smb20_operations; vol->vals = &smb20_values; break; +#else + case Smb_1: + cifs_dbg(VFS, "vers=1.0 (cifs) mount not permitted when legacy dialects disabled\n"); + return 1; + case Smb_20: + cifs_dbg(VFS, "vers=2.0 mount not permitted when legacy dialects disabled\n"); + return 1; +#endif /* CIFS_ALLOW_INSECURE_LEGACY */ case Smb_21: vol->ops = &smb21_operations; vol->vals = &smb21_values; -- 2.7.4