Retire NETSMBCRYPTO as a kernel option and make its functionality

enabled by default in NETSMB and smbfs.ko. With the most of modern SMB providers requiring encryption by default, there is little sense left in keeping the crypto part of NETSMB optional at the build time. This will also return smbfs.ko to its former properties users are rather accustomed to. Discussed with: freebsd-stable, re (scottl) Not objected by: bp, tjr (silence) MFC after: 5 days
2006-03-05 22:52:17 +00:00 · 2006-03-05 22:52:17 +00:00 · 8d96e45531
commit 8d96e45531
parent 62fba1c397
14 changed files with 17 additions and 57 deletions
--- a/4
+++ b/4
@ -21,6 +21,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.

+20060305:
+	The NETSMBCRYPTO kernel option has been retired because its
+	functionality is always included in NETSMB and smbfs.ko now.
+
 20060303:
 	The TDFX_LINUX kernel option was retired and replaced by the
 	tdfx_linux device.  The latter can be loaded as a kernel module.
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -489,9 +489,7 @@ options 	NETATALKDEBUG		#Appletalk debugging
 # SMB/CIFS requester
 # NETSMB enables support for SMB protocol, it requires LIBMCHAIN and LIBICONV
 # options.
-# NETSMBCRYPTO enables support for encrypted passwords.
 options 	NETSMB			#SMB/CIFS requester
-options 	NETSMBCRYPTO		#encrypted password support for SMB

 # mchain library. It can be either loaded as KLD or compiled into kernel
 options 	LIBMCHAIN
--- a/sys/conf/files
+++ b/sys/conf/files
@ -334,8 +334,8 @@ contrib/pf/net/pf_osfp.c	optional pf \
 contrib/pf/netinet/in4_cksum.c	optional pf inet
 crypto/blowfish/bf_ecb.c	optional ipsec ipsec_esp
 crypto/blowfish/bf_skey.c	optional crypto | ipsec ipsec_esp
-crypto/des/des_ecb.c		optional crypto | ipsec ipsec_esp | netsmbcrypto
-crypto/des/des_setkey.c		optional crypto | ipsec ipsec_esp | netsmbcrypto
+crypto/des/des_ecb.c		optional crypto | ipsec ipsec_esp | netsmb
+crypto/des/des_setkey.c		optional crypto | ipsec ipsec_esp | netsmb
 crypto/rc4/rc4.c		optional netgraph_mppc_encryption
 crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
 					 ipsec | random | wlan_ccmp
--- a/sys/conf/files.alpha
+++ b/sys/conf/files.alpha
@ -146,7 +146,7 @@ compat/linux/linux_stats.c	optional	compat_linux
 compat/linux/linux_util.c	optional	compat_linux
 crypto/blowfish/bf_enc.c	optional	crypto | ipsec ipsec_esp
 crypto/des/des_enc.c		optional	crypto | ipsec ipsec_esp | \
-						netsmbcrypto
+						netsmb
 dev/advansys/adv_isa.c		optional	adv isa
 dev/aic/aic_isa.c		optional	aic isa
 dev/atkbdc/atkbd.c		optional	atkbd atkbdc
--- a/sys/conf/files.amd64
+++ b/sys/conf/files.amd64
@ -131,7 +131,7 @@ amd64/pci/pci_bus.c		optional	pci
 amd64/pci/pci_cfgreg.c		optional	pci
 crypto/blowfish/bf_enc.c	optional	crypto | ipsec ipsec_esp
 crypto/des/des_enc.c		optional	crypto | ipsec ipsec_esp | \
-						netsmbcrypto
+						netsmb
 dev/acpica/acpi_if.m		standard
 dev/arcmsr/arcmsr.c		optional	arcmsr pci
 dev/atkbdc/atkbd.c		optional	atkbd atkbdc
--- a/sys/conf/files.i386
+++ b/sys/conf/files.i386
@ -126,7 +126,7 @@ bf_enc.o			optional crypto | ipsec ipsec_esp	\
 	dependency	"$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
 	compile-with	"${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
 	no-implicit-rule
-crypto/des/arch/i386/des_enc.S	optional crypto | ipsec ipsec_esp | netsmbcrypto
+crypto/des/arch/i386/des_enc.S	optional crypto | ipsec ipsec_esp | netsmb
 crypto/via/padlock.c		optional padlock
 dev/advansys/adv_isa.c		optional adv isa
 dev/aic/aic_isa.c		optional aic isa
--- a/sys/conf/files.ia64
+++ b/sys/conf/files.ia64
@ -44,7 +44,7 @@ contrib/ia64/libuwx/src/uwx_uinfo.c		standard
 contrib/ia64/libuwx/src/uwx_utable.c		standard
 crypto/blowfish/bf_enc.c	optional	crypto | ipsec ipsec_esp
 crypto/des/des_enc.c		optional	crypto | ipsec ipsec_esp | \
-						netsmbcrypto
+						netsmb
 dev/advansys/adv_isa.c		optional	adv isa
 dev/aic/aic_isa.c		optional	aic isa
 dev/atkbdc/atkbd.c		optional	atkbd atkbdc
--- a/sys/conf/files.pc98
+++ b/sys/conf/files.pc98
@ -82,7 +82,7 @@ bf_enc.o			optional crypto | ipsec ipsec_esp	\
 	dependency	"$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
 	compile-with	"${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
 	no-implicit-rule
-crypto/des/arch/i386/des_enc.S	optional crypto | ipsec ipsec_esp | netsmbcrypto
+crypto/des/arch/i386/des_enc.S	optional crypto | ipsec ipsec_esp | netsmb
 dev/aic/aic_cbus.c		optional aic isa
 dev/ar/if_ar.c			optional ar
 dev/ar/if_ar_pci.c		optional ar pci
--- a/sys/conf/files.powerpc
+++ b/sys/conf/files.powerpc
@ -71,7 +71,7 @@ powerpc/powerpc/db_hwwatch.c	optional	ddb
 powerpc/powerpc/db_trace.c	optional	ddb

 crypto/blowfish/bf_enc.c	optional	ipsec ipsec_esp
-crypto/des/des_enc.c		optional	ipsec ipsec_esp | netsmbcrypto
+crypto/des/des_enc.c		optional	ipsec ipsec_esp | netsmb

 dev/ofw/openfirm.c		standard
 dev/ofw/ofw_bus_if.m		standard
--- a/sys/conf/files.sparc64
+++ b/sys/conf/files.sparc64
@ -20,7 +20,7 @@ ukbdmap.h			optional	ukbd_dflt_keymap	\
 #
 crypto/blowfish/bf_enc.c	optional	crypto | ipsec ipsec_esp
 crypto/des/des_enc.c		optional	crypto | ipsec ipsec_esp | \
-						netsmbcrypto
+						netsmb
 dev/atkbdc/atkbd.c		optional	atkbd atkbdc
 dev/atkbdc/atkbd_atkbdc.c	optional	atkbd atkbdc
 dev/atkbdc/atkbdc.c		optional	atkbdc
--- a/sys/conf/options
+++ b/sys/conf/options
@ -242,8 +242,7 @@ UFS_DIRHASH	opt_ufs.h
 NFS_ROOT	opt_nfsroot.h

 # SMB/CIFS requester
-NETSMB			opt_netsmb.h
-NETSMBCRYPTO		opt_netsmb.h
+NETSMB		opt_netsmb.h

 # Experimental support for large MS-DOS filesystems; SEE WARNING IN "NOTES"!
 MSDOSFS_LARGE	opt_msdosfs.h
--- a/sys/modules/smbfs/Makefile
+++ b/sys/modules/smbfs/Makefile
@ -19,16 +19,13 @@ SRCS=	vnode_if.h \
 	smbfs_vfsops.c smbfs_node.c smbfs_io.c smbfs_vnops.c \
 	smbfs_subr.c smbfs_smb.c

-NETSMBCRYPTO=
-
-.if defined(NETSMBCRYPTO)
+# NETSMBCRYPTO
 SRCS+=	des_ecb.c des_setkey.c
 .if ${MACHINE_ARCH} == "i386"
 SRCS+=	des_enc.S
 .else
 SRCS+=	des_enc.c
 .endif
-.endif

 # Build with IPX support (1|0)
 SMB_IPX?=	0
@ -52,12 +49,6 @@ opt_inet.h:
 opt_ipx.h:
 	echo "#define IPX 1" > ${.TARGET}
 .endif
-
-# XXX netsmb should be a separate module
-.if defined(NETSMBCRYPTO)
-opt_netsmb.h:
-	echo "#define NETSMBCRYPTO 1" > ${.TARGET}
-.endif
 .endif

 .include <bsd.kmod.mk>
--- a/sys/netsmb/smb_crypt.c
+++ b/sys/netsmb/smb_crypt.c
@ -59,12 +59,10 @@ __FBSDID("$FreeBSD$");
 #include <netsmb/smb_rq.h>
 #include <netsmb/smb_dev.h>

-#include "opt_netsmb.h"
-
-#ifdef NETSMBCRYPTO
-
 #include <crypto/des/des.h>

+#include "opt_netsmb.h"
+
 static u_char N8[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};


@ -87,13 +85,11 @@ smb_E(const u_char *key, u_char *data, u_char *dest)
 	des_ecb_encrypt((des_cblock *)data, (des_cblock *)dest, *ksp, 1);
 	free(ksp, M_SMBTEMP);
 }
-#endif


 int
 smb_encrypt(const u_char *apwd, u_char *C8, u_char *RN)
 {
-#ifdef NETSMBCRYPTO
 	u_char *p, *P14, *S21;

 	p = malloc(14 + 21, M_SMBTEMP, M_WAITOK);
@ -112,17 +108,11 @@ smb_encrypt(const u_char *apwd, u_char *C8, u_char *RN)
 	smb_E(S21 + 14, C8, RN + 16);
 	free(p, M_SMBTEMP);
 	return 0;
-#else
-	SMBERROR("password encryption is not available\n");
-	bzero(RN, 24);
-	return EAUTH;
-#endif
 }

 int
 smb_ntencrypt(const u_char *apwd, u_char *C8, u_char *RN)
 {
-#ifdef NETSMBCRYPTO
 	u_char S21[21];
 	u_int16_t *unipwd;
 	MD4_CTX *ctxp;
@ -146,11 +136,6 @@ smb_ntencrypt(const u_char *apwd, u_char *C8, u_char *RN)
 	smb_E(S21 + 7, C8, RN + 8);
 	smb_E(S21 + 14, C8, RN + 16);
 	return 0;
-#else
-	SMBERROR("password encryption is not available\n");
-	bzero(RN, 24);
-	return EAUTH;
-#endif
 }

 /*
@ -159,7 +144,6 @@ smb_ntencrypt(const u_char *apwd, u_char *C8, u_char *RN)
 int
 smb_calcmackey(struct smb_vc *vcp)
 {
-#ifdef NETSMBCRYPTO
 	const char *pwd;
 	u_int16_t *unipwd;
 	int len;
@ -210,10 +194,6 @@ smb_calcmackey(struct smb_vc *vcp)
 	smb_E(S21 + 14, vcp->vc_ch, vcp->vc_mackey + 32);

 	return (0);
-#else
-	panic("smb_calcmackey: encryption not available");
-	return (0);
-#endif	/* NETSMBCRYPTO */
 }

 /*
@ -222,7 +202,6 @@ smb_calcmackey(struct smb_vc *vcp)
 int
 smb_rq_sign(struct smb_rq *rqp)
 {
-#ifdef NETSMBCRYPTO
 	struct smb_vc *vcp = rqp->sr_vc;
 	struct mbchain *mbp;
 	struct mbuf *mb;
@ -278,10 +257,6 @@ smb_rq_sign(struct smb_rq *rqp)
 	bcopy(digest, rqp->sr_rqsig, 8);

 	return (0);
-#else
-	panic("smb_rq_sign: encryption not available");
-	return (0);
-#endif	/* NETSMBCRYPTO */
 }

 /*
@ -290,7 +265,6 @@ smb_rq_sign(struct smb_rq *rqp)
 int
 smb_rq_verify(struct smb_rq *rqp)
 {
-#ifdef NETSMBCRYPTO
 	struct smb_vc *vcp = rqp->sr_vc;
 	struct mdchain *mdp;
 	u_char sigbuf[8];
@ -332,8 +306,4 @@ smb_rq_verify(struct smb_rq *rqp)
 		return (EAUTH);

 	return (0);
-#else
-	panic("smb_rq_verify: encryption not available");
-	return (0);
-#endif	/* NETSMBCRYPTO */
 }
--- a/sys/netsmb/smb_smb.c
+++ b/sys/netsmb/smb_smb.c
@ -197,10 +197,8 @@ smb_smb_negotiate(struct smb_vc *vcp, struct smb_cred *scred)
 				vcp->vc_chlen = sblen;
 				vcp->obj.co_flags |= SMBV_ENCRYPT;
 			}
-#ifdef NETSMBCRYPTO
 			if (sp->sv_sm & SMB_SM_SIGS_REQUIRE)
 				vcp->vc_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
-#endif
 			vcp->vc_hflags2 |= SMB_FLAGS2_KNOWS_LONG_NAMES;
 			if (dp->d_id == SMB_DIALECT_NTLM0_12 &&
 			    sp->sv_maxtx < 4096 &&