Merge tag '4.17-SMB3-Fixes' of git://git.samba.org/sfrench/cifs-2.6

standard for interoperating between Macs and Windows and major NAS appliances.

Please see

  MS-SMB2 (for detailed SMB2/SMB3/SMB3.1.1 protocol specification)

  http://protocolfreedom.org/ and

  http://samba.org/samba/PFIF/

for more details.

For questions or bug reports please contact:

    sfrench@samba.org (sfrench@us.ibm.com) 

    smfrench@gmail.com

See the project page at: https://wiki.samba.org/index.php/LinuxCIFS_utils

=========================

If you have built the CIFS vfs as module (successfully) simply

type "make modules_install" (or if you prefer, manually copy the file to

the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.o).

the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.ko).

If you have built the CIFS vfs into the kernel itself, follow the instructions

for your distribution on how to install a new kernel (usually you

would simply type "make install").

If you do not have the utility mount.cifs (in the Samba 3.0 source tree and on 

the CIFS VFS web site) copy it to the same directory in which mount.smbfs and 

similar files reside (usually /sbin).  Although the helper software is not  

If you do not have the utility mount.cifs (in the Samba 4.x source tree and on

the CIFS VFS web site) copy it to the same directory in which mount helpers

reside (usually /sbin).  Although the helper software is not

required, mount.cifs is recommended.  Most distros include a "cifs-utils"

package that includes this utility so it is recommended to install this.

Samba Considerations 

====================

To get the maximum benefit from the CIFS VFS, we recommend using a server that 

supports the SNIA CIFS Unix Extensions standard (e.g.  Samba 2.2.5 or later or 

Samba 3.0) but the CIFS vfs works fine with a wide variety of CIFS servers.  

Most current servers support SMB2.1 and SMB3 which are more secure,

but there are useful protocol extensions for the older less secure CIFS

dialect, so to get the maximum benefit if mounting using the older dialect

(CIFS/SMB1), we recommend using a server that supports the SNIA CIFS

Unix Extensions standard (e.g. almost any  version of Samba ie version

2.2.5 or later) but the CIFS vfs works fine with a wide variety of CIFS servers.

Note that uid, gid and file permissions will display default values if you do 

not have a server that supports the Unix extensions for CIFS (such as Samba 

2.2.5 or later).  To enable the Unix CIFS Extensions in the Samba server, add 

			in the kernel configuration.

Configuration pseudo-files:

PacketSigningEnabled	If set to one, cifs packet signing is enabled

			and will be used if the server requires 

			it.  If set to two, cifs packet signing is

			required even if the server considers packet

			signing optional. (default 1)

SecurityFlags		Flags which control security negotiation and

			also packet signing. Authentication (may/must)

			flags (e.g. for NTLM and/or NTLMv2) may be combined with

LookupCacheEnable	If set to one, inode information is kept cached

			for one second improving performance of lookups

			(default 1)

OplockEnabled		If set to one, safe distributed caching enabled.

			(default 1)

LinuxExtensionsEnabled	If set to one then the client will attempt to

			use the CIFS "UNIX" extensions which are optional

			protocol enhancements that allow CIFS servers

Version 2.04 September 13, 2017

Version 2.11 September 13, 2017

A Partial List of Missing Features

==================================

is a partial list of the known problems and missing features:

a) SMB3 (and SMB3.02) missing optional features:

   - RDMA (started)

   - multichannel (started)

   - multichannel (started), integration with RDMA

   - directory leases (improved metadata caching)

   - T10 copy offload (copy chunk is only mechanism supported)

   - T10 copy offload (copy chunk, and "Duplicate Extents" ioctl

     currently the only two server side copy mechanisms supported)

b) improved sparse file support

d) quota support (needs minor kernel change since quota calls

to make it to network filesystems or deviceless filesystems)

e) Better optimize open to reduce redundant opens (using reference

counts more) and to improve use of compounding in SMB3 to reduce

number of roundtrips.

e) Compounding (in progress) to reduce number of roundtrips, and also

better optimize open to reduce redundant opens (using reference counts more).

f) Finish inotify support so kde and gnome file list windows

will autorefresh (partially complete by Asser). Needs minor kernel

h) implement support for security and trusted categories of xattrs

(requires minor protocol extension) to enable better support for SELINUX

i) Implement O_DIRECT flag on open (already supported on mount)

i) Add support for tree connect contexts (see MS-SMB2) a new SMB3.1.1 protocol

   feature (may be especially useful for virtualization).

j) Create UID mapping facility so server UIDs can be mapped on a per

mount or a per server basis to client UIDs or nobody if no mapping

o) mount helper GUI (to simplify the various configuration options on mount)

p) autonegotiation of dialects (offering more than one dialect ie SMB3.02,

SMB3, SMB2.1 not just SMB3).

p) Add support for witness protocol (perhaps ioctl to cifs.ko from user space

   tool listening on witness protocol RPC) to allow for notification of share

   move, server failover, and server adapter changes.  And also improve other

   failover scenarios, e.g. when client knows multiple DFS entries point to

   different servers, and the server we are connected to has gone down.

q) Allow mount.cifs to be more verbose in reporting errors with dialect

or unsupported feature errors.

r) updating cifs documentation, and user guid.

r) updating cifs documentation, and user guide.

s) Addressing bugs found by running a broader set of xfstests in standard

file system xfstest suite.

	   Allows NFS server to export a CIFS mounted share (nfsd over cifs)

config CIFS_SMB311

	bool "SMB3.1.1 network file system support (Experimental)"

	bool "SMB3.1.1 network file system support"

	depends on CIFS

	select CRYPTO_SHA512

	help

	  This enables experimental support for the newest, SMB3.1.1, dialect.

	  This dialect includes improved security negotiation features.

	  If unsure, say N

	  This enables support for the newest, and most secure dialect, SMB3.11.

	  If unsure, say Y

config CIFS_SMB_DIRECT

	bool "SMB Direct support (Experimental)"

#include <crypto/skcipher.h>

#include <crypto/aead.h>

static int

cifs_crypto_shash_md5_allocate(struct TCP_Server_Info *server)

{

	int rc;

	unsigned int size;

	if (server->secmech.sdescmd5 != NULL)

		return 0; /* already allocated */

	server->secmech.md5 = crypto_alloc_shash("md5", 0, 0);

	if (IS_ERR(server->secmech.md5)) {

		cifs_dbg(VFS, "could not allocate crypto md5\n");

		rc = PTR_ERR(server->secmech.md5);

		server->secmech.md5 = NULL;

		return rc;

	}

	size = sizeof(struct shash_desc) +

			crypto_shash_descsize(server->secmech.md5);

	server->secmech.sdescmd5 = kmalloc(size, GFP_KERNEL);

	if (!server->secmech.sdescmd5) {

		crypto_free_shash(server->secmech.md5);

		server->secmech.md5 = NULL;

		return -ENOMEM;

	}

	server->secmech.sdescmd5->shash.tfm = server->secmech.md5;

	server->secmech.sdescmd5->shash.flags = 0x0;

	return 0;

}

int __cifs_calc_signature(struct smb_rqst *rqst,

			struct TCP_Server_Info *server, char *signature,

			struct shash_desc *shash)

	if (!rqst->rq_iov || !signature || !server)

		return -EINVAL;

	if (!server->secmech.sdescmd5) {

		rc = cifs_crypto_shash_md5_allocate(server);

		if (rc) {

			cifs_dbg(VFS, "%s: Can't alloc md5 crypto\n", __func__);

	rc = cifs_alloc_hash("md5", &server->secmech.md5,

			     &server->secmech.sdescmd5);

	if (rc)

		return -1;

		}

	}

	rc = crypto_shash_init(&server->secmech.sdescmd5->shash);

	if (rc) {

	return rc;

}

static int crypto_hmacmd5_alloc(struct TCP_Server_Info *server)

{

	int rc;

	unsigned int size;

	/* check if already allocated */

	if (server->secmech.sdeschmacmd5)

		return 0;

	server->secmech.hmacmd5 = crypto_alloc_shash("hmac(md5)", 0, 0);

	if (IS_ERR(server->secmech.hmacmd5)) {

		cifs_dbg(VFS, "could not allocate crypto hmacmd5\n");

		rc = PTR_ERR(server->secmech.hmacmd5);

		server->secmech.hmacmd5 = NULL;

		return rc;

	}

	size = sizeof(struct shash_desc) +

			crypto_shash_descsize(server->secmech.hmacmd5);

	server->secmech.sdeschmacmd5 = kmalloc(size, GFP_KERNEL);

	if (!server->secmech.sdeschmacmd5) {

		crypto_free_shash(server->secmech.hmacmd5);

		server->secmech.hmacmd5 = NULL;

		return -ENOMEM;

	}

	server->secmech.sdeschmacmd5->shash.tfm = server->secmech.hmacmd5;

	server->secmech.sdeschmacmd5->shash.flags = 0x0;

	return 0;

}

int

setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)

{

	mutex_lock(&ses->server->srv_mutex);

	rc = crypto_hmacmd5_alloc(ses->server);

	rc = cifs_alloc_hash("hmac(md5)",

			     &ses->server->secmech.hmacmd5,

			     &ses->server->secmech.sdeschmacmd5);

	if (rc) {

		cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);

		goto unlock;

	}

		server->secmech.md5 = NULL;

	}

	if (server->secmech.sha512) {

		crypto_free_shash(server->secmech.sha512);

		server->secmech.sha512 = NULL;

	}

	if (server->secmech.hmacmd5) {

		crypto_free_shash(server->secmech.hmacmd5);

		server->secmech.hmacmd5 = NULL;

	server->secmech.sdeschmacmd5 = NULL;

	kfree(server->secmech.sdescmd5);

	server->secmech.sdescmd5 = NULL;

	kfree(server->secmech.sdescsha512);

	server->secmech.sdescsha512 = NULL;

}

MODULE_SOFTDEP("pre: aes");

MODULE_SOFTDEP("pre: cmac");

MODULE_SOFTDEP("pre: sha256");

MODULE_SOFTDEP("pre: sha512");

MODULE_SOFTDEP("pre: aead2");

MODULE_SOFTDEP("pre: ccm");

module_init(init_cifs)