Quantcast

[Xenial][PULL] CIFS: Enable encryption for SMB3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Xenial][PULL] CIFS: Enable encryption for SMB3

Joseph Salisbury-3
There has been work upstream to enable encryption support for SMB3
connections. This is a particularly valuable (and commonly requested)
feature with the Azure Files service as encryption is required to connect
to an Azure Files storage share from on-prem or from a different Azure region.

BugLink: http://bugs.launchpad.net/bugs/1670508

The following changes since commit 05022128a513a344d156de5bffd88e3dda4c8da6:

  UBUNTU: Ubuntu-4.4.0-66.87 (2017-03-03 13:13:10 +0100)

are available in the git repository at:

  kernel.ubuntu.com:/srv/kernel.ubuntu.com/git/jsalisbury/bugs/lp1670508/ubuntu-xenial.git

for you to fetch changes up to a16041fde91bd7e13bd1e237a8ca9a1cd28877bf:

  CIFS: Fix possible use after free in demultiplex thread (2017-03-27 11:52:33 -0400)

----------------------------------------------------------------
Al Viro (5):
      [net] drop 'size' argument of sock_recvmsg()
      cifs: merge the hash calculation helpers
      cifs: no need to wank with copying and advancing iovec on recvmsg side either
      cifs: don't bother with kmap on read_pages side
      cifs_readv_receive: use cifs_read_from_socket()

Jean Delvare (3):
      cifs: Simplify SMB2 and SMB311 dependencies
      cifs: Only select the required crypto modules
      cifs: Add soft dependencies

Pavel Shilovsky (16):
      CIFS: Separate SMB2 header structure
      CIFS: Make SendReceive2() takes resp iov
      CIFS: Make send_cancel take rqst as argument
      CIFS: Send RFC1001 length in a separate iov
      CIFS: Separate SMB2 sync header processing
      CIFS: Separate RFC1001 length processing for SMB2 read
      CIFS: Add capability to transform requests before sending
      CIFS: Enable encryption during session setup phase
      CIFS: Encrypt SMB3 requests before sending
      CIFS: Add transform header handling callbacks
      CIFS: Add mid handle callback
      CIFS: Add copy into pages callback for a read operation
      CIFS: Decrypt and process small encrypted packets
      CIFS: Add capability to decrypt big read responses
      CIFS: Allow to switch on encryption with seal mount option
      CIFS: Fix possible use after free in demultiplex thread

Sachin Prabhu (3):
      Fix memory leaks in cifs_do_mount()
      SMB2: Separate Kerberos authentication from SMB2_sess_setup
      SMB2: Separate RawNTLMSSP authentication from SMB2_sess_setup

Steve French (4):
      cifs: Make echo interval tunable
      Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this.
      SMB3: Add mount parameter to allow user to override max credits
      SMB3: parsing for new snapshot timestamp mount parm

 drivers/target/iscsi/iscsi_target_util.c |    5 +-
 fs/cifs/Kconfig                          |   12 +-
 fs/cifs/cifsencrypt.c                    |  130 ++--
 fs/cifs/cifsfs.c                         |   16 +
 fs/cifs/cifsglob.h                       |   64 +-
 fs/cifs/cifsproto.h                      |   28 +-
 fs/cifs/cifssmb.c                        |  146 ++--
 fs/cifs/connect.c                        |  273 ++++----
 fs/cifs/file.c                           |  101 +--
 fs/cifs/misc.c                           |    2 +-
 fs/cifs/sess.c                           |   27 +-
 fs/cifs/smb1ops.c                        |    4 +-
 fs/cifs/smb2glob.h                       |   13 +-
 fs/cifs/smb2maperror.c                   |    5 +-
 fs/cifs/smb2misc.c                       |   83 ++-
 fs/cifs/smb2ops.c                        |  698 ++++++++++++++++++-
 fs/cifs/smb2pdu.c                        | 1104 +++++++++++++++++++-----------
 fs/cifs/smb2pdu.h                        |   35 +-
 fs/cifs/smb2proto.h                      |    8 +-
 fs/cifs/smb2transport.c                  |  337 +++++----
 fs/cifs/transport.c                      |  171 +++--
 include/linux/net.h                      |    3 +-
 net/socket.c                             |   23 +-
 23 files changed, 2297 insertions(+), 991 deletions(-)

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xenial][PULL] CIFS: Enable encryption for SMB3

Tim Gardner-2
I'm less sanguine about this patch set. Some of these patches are huge,
many of which were not clean cherry picks. Furthermore, this is abusing
our SRU policy in that it is a new feature that is not at all
independent of existing code. While the test results in the Azure
environment look good, I wonder about regressions in other environments.

rtg
--
Tim Gardner [hidden email]

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xenial][PULL] CIFS: Enable encryption for SMB3

Stefan Bader-2
In reply to this post by Joseph Salisbury-3
On 27.03.2017 18:00, Joseph Salisbury wrote:

> There has been work upstream to enable encryption support for SMB3
> connections. This is a particularly valuable (and commonly requested)
> feature with the Azure Files service as encryption is required to connect
> to an Azure Files storage share from on-prem or from a different Azure region.
>
> BugLink: http://bugs.launchpad.net/bugs/1670508
>
> The following changes since commit 05022128a513a344d156de5bffd88e3dda4c8da6:
>
>   UBUNTU: Ubuntu-4.4.0-66.87 (2017-03-03 13:13:10 +0100)
>
> are available in the git repository at:
>
>   kernel.ubuntu.com:/srv/kernel.ubuntu.com/git/jsalisbury/bugs/lp1670508/ubuntu-xenial.git
>
> for you to fetch changes up to a16041fde91bd7e13bd1e237a8ca9a1cd28877bf:
>
>   CIFS: Fix possible use after free in demultiplex thread (2017-03-27 11:52:33 -0400)
>
> ----------------------------------------------------------------
> Al Viro (5):
>       [net] drop 'size' argument of sock_recvmsg()
>       cifs: merge the hash calculation helpers
>       cifs: no need to wank with copying and advancing iovec on recvmsg side either
>       cifs: don't bother with kmap on read_pages side
>       cifs_readv_receive: use cifs_read_from_socket()
>
> Jean Delvare (3):
>       cifs: Simplify SMB2 and SMB311 dependencies
>       cifs: Only select the required crypto modules
>       cifs: Add soft dependencies
>
> Pavel Shilovsky (16):
>       CIFS: Separate SMB2 header structure
>       CIFS: Make SendReceive2() takes resp iov
>       CIFS: Make send_cancel take rqst as argument
>       CIFS: Send RFC1001 length in a separate iov
>       CIFS: Separate SMB2 sync header processing
>       CIFS: Separate RFC1001 length processing for SMB2 read
>       CIFS: Add capability to transform requests before sending
>       CIFS: Enable encryption during session setup phase
>       CIFS: Encrypt SMB3 requests before sending
>       CIFS: Add transform header handling callbacks
>       CIFS: Add mid handle callback
>       CIFS: Add copy into pages callback for a read operation
>       CIFS: Decrypt and process small encrypted packets
>       CIFS: Add capability to decrypt big read responses
>       CIFS: Allow to switch on encryption with seal mount option
>       CIFS: Fix possible use after free in demultiplex thread
>
> Sachin Prabhu (3):
>       Fix memory leaks in cifs_do_mount()
>       SMB2: Separate Kerberos authentication from SMB2_sess_setup
>       SMB2: Separate RawNTLMSSP authentication from SMB2_sess_setup
>
> Steve French (4):
>       cifs: Make echo interval tunable
>       Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this.
>       SMB3: Add mount parameter to allow user to override max credits
>       SMB3: parsing for new snapshot timestamp mount parm
>
>  drivers/target/iscsi/iscsi_target_util.c |    5 +-
>  fs/cifs/Kconfig                          |   12 +-
>  fs/cifs/cifsencrypt.c                    |  130 ++--
>  fs/cifs/cifsfs.c                         |   16 +
>  fs/cifs/cifsglob.h                       |   64 +-
>  fs/cifs/cifsproto.h                      |   28 +-
>  fs/cifs/cifssmb.c                        |  146 ++--
>  fs/cifs/connect.c                        |  273 ++++----
>  fs/cifs/file.c                           |  101 +--
>  fs/cifs/misc.c                           |    2 +-
>  fs/cifs/sess.c                           |   27 +-
>  fs/cifs/smb1ops.c                        |    4 +-
>  fs/cifs/smb2glob.h                       |   13 +-
>  fs/cifs/smb2maperror.c                   |    5 +-
>  fs/cifs/smb2misc.c                       |   83 ++-
>  fs/cifs/smb2ops.c                        |  698 ++++++++++++++++++-
>  fs/cifs/smb2pdu.c                        | 1104 +++++++++++++++++++-----------
>  fs/cifs/smb2pdu.h                        |   35 +-
>  fs/cifs/smb2proto.h                      |    8 +-
>  fs/cifs/smb2transport.c                  |  337 +++++----
>  fs/cifs/transport.c                      |  171 +++--
>  include/linux/net.h                      |    3 +-
>  net/socket.c                             |   23 +-
>  23 files changed, 2297 insertions(+), 991 deletions(-)
>
That is a pretty huge set that modifies the cifs driver. Is there any wider
scoped testing done to ensure that this does not break some existing functionality?

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ACK: [Xenial][PULL] CIFS: Enable encryption for SMB3

brad.figg
In reply to this post by Joseph Salisbury-3
Loading...