Regression in CIFS due to a change to improve maintainability and security (was: Re: Linux regressions report for mainline [2022-02-20])

[Thorsten Leemhuis]

Hey Linus!

On 20.02.22 20:51, Regzbot (on behalf of Thorsten Leemhuis) wrote:
> Hi, Thorsten here, with a quick preface before the latest report from
> regzbot. From my side things seem to look normal right now; in fact
> quite a few mainline regression that I've been tracking got resolved in
> the past few days (I removed two from the report that are fixed by
> changes in the git tags Borislav and Dmitry asked you to pull this
> weekend; guess you will merge them later today).
> [...]

Those as expected got merged, great. But I forgot to mention one thing
in my preface: there is a regression introduced in the 5.15 cycle where
I'd like to hear your option, as it's one of those tricky issues that
might need a judgement call, as it's security related.

The culprit here is 76a3c92ec9e0 ("cifs: remove support for NTLM and
weaker authentication algorithms"), which as of now afaics cleanly
reverts in mainline. As the title indicates, it's a change to remove
code in the interest of maintainability and security, but it seems some
people are now unable to access CIFS 1.0 shares on some devices (like
the media player "mede8er med600x3"). For details see:

https://lore.kernel.org/lkml/CAJjP=Bt52AW_w2sKnM=MbckPkH1hevPMJVWm_Wf%2BwThmR72YTg@xxxxxxxxxxxxxx/

[some backstory can also be found in the two bug tickets linked there,
which show the reporter is not the only one that ran into the
regression; see for example
https://bugzilla.kernel.org/show_bug.cgi?id=215375#c13 ]

I recently brought "should this be reverted" up in the discussion and
this is what Ronnie (who authored 76a3c92ec9e0) replied in
https://lore.kernel.org/lkml/CAN05THQbR4d55kx6MEHGcn-iLZKJG1C0vhq19wfo=NrB6q1Apg@xxxxxxxxxxxxxx/

> Right now you can likely just revert it. Maybe in the next kernel too.
> But in a kernel not too far into the future some of the crypto primitives that
> this depended on will simply not exist any more in the linux kernel
> and will not be
> available through the standard api.
> 
> At that point it is no longer a matter of just reverting the patch but
> a matter of
> re-importing an equivalent crypto replacement and port cifs.ko to its new api.
> 
> That is a lot of work and maintenance for something that is obsolete.

I also asked the reporter if win11 still is able to access the device,
and this is what he replied in
https://lore.kernel.org/lkml/CAJjP=Bus1_ce4vbHXpiou1WrSe8a61U1NzGm4XvN5fYCPGNikA@xxxxxxxxxxxxxx/

> Thorsten: the only group policy modification I have on my win11
> machine (which was
> loaded fresh not too long ago) is to enable insecure guest logins,
> which is obviously
> required for samba shares where the share allows a guest login without
> any password.
> I have to enable this to browse the shares on my Gentoo machine from the win11
> machine anyway.

Now I'm a bit unsure what the best way forward is here; if you have one
and want to share it, could you please do so in above thread (it's on
LKML, subject is "Possible regression: unable to mount CIFS 1.0 shares
from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c"), as
that where everybody is CCed. tia!

Ciao, Thorsten