[linux-cifs-client] Re: 2 New encryption capability bits in UNIX
extensions.
Steve French
smfrench at austin.rr.com
Mon Mar 26 19:07:20 GMT 2007
Jeremy Allison wrote:
>Hi Steve + UNIX CIFS fans,
>
>I want to grab 2 new capability bits to implement
>the CIFS transport encryption to make us feature
>parity with NFS.
>
>Here they are :
>
>#define CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP 0x40 /* We can do SPNEGO
>negotiations for encryption. */
>#define CIFS_UNIX_TRANSPORT_ENCRYPTION_MANDATORY_CAP 0x80 /* We
>*must* SPNEGO negotiations for encryption. */
>
>If 0x40 is set the client may ask for encryption, if both 0x40
>and 0x80 are set the client *must* ask for encryption or it will
>be disconnected.
>
>Thoughts, comments ?
>
>Jeremy.
>
>
>
For the poor guys that have to deal with 80 column challenged people I
slightly prefer
#define CIFS_UNIX_MAY_ENCRYPT_CAP 0x40
#define CIFS_UNIX_MUST_ENCRYPT_CAP 0x80
It may be worth defining a different meaning for 0x80
different from 0xC0 but I have no immediate suggestion on that.
I am assuming that this could theoretically give us
encryption on one tid but not another which would be a wonderful
feature and probably not something trivial for NFS (as we do
SetFSInfo on the more granular tid rather than session).
Not sure if spnego itself could be encrypted as we don't have a shared
secret yet - but it does mean that our tree connect and setfsinfo would
be in the clear (which is fine with me).,
More information about the linux-cifs-client
mailing list