Discussion:
encrypt the tcon itself if seal requested on mount and set encryption support for 3.11 properly
Steve French via samba-technical
2018-04-20 22:11:10 UTC
Permalink
This patch doesn't fix all the problems (mount with 3.11 and "seal"
fails presumably because the validate negotiate like hash for the
signature is not attached to the tcon the right way - signing is
usually disabled when encryption is enabled).

Should the signature be also included in the frame even if the tcon is
encryption in SMB3.11?
--
Thanks,

Steve
Pavel Shilovsky via samba-technical
2018-04-21 00:14:31 UTC
Permalink
2018-04-20 15:11 GMT-07:00 Steve French via samba-technical
Post by Steve French via samba-technical
This patch doesn't fix all the problems (mount with 3.11 and "seal"
fails presumably because the validate negotiate like hash for the
signature is not attached to the tcon the right way - signing is
usually disabled when encryption is enabled).
Should the signature be also included in the frame even if the tcon is
encryption in SMB3.11?
--
Thanks,
Steve
Looks good. Please also fix the encryption negotiate context:

static void
build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt)
{
pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES;
pneg_ctxt->DataLength = cpu_to_le16(6);
pneg_ctxt->CipherCount = cpu_to_le16(2);
pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;
pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;
}

as we currently do not support AES128_GCM encryption. This is probably
why mount fails.

The SMB3 encryption includes signing, so, I think SMB2 header
signature may be omitted in validate negotiate if encryption is used.

We need to check if the current code works with CCM encryption for SMB
3.0 because there was a stable patch "Validate negotiate request mush
always be signed" that changed the behavior of validate negotiate
request.

Best regards,
Pavel Shilovsky
Steve French via samba-technical
2018-04-21 04:55:41 UTC
Permalink
Fixed. Disabled AES-128GCM. See attached.

Seems to work ok to Windows 3.11 now, and SMB3 tconx is also now
encrypted if "seal" chosen on mount - tried it to Windows 2016 and to
Samba 4.7

Main remaining problem that I see is smb3.11 reconnect (it looks like
we are clearing the hash - but must be missing something)
--
Thanks,

Steve
Steve French via samba-technical
2018-04-21 17:04:24 UTC
Permalink
Any extra testing would be appreciated of this - I tried to Windows
2016 with and without encrypted share and also to Samba 4.7
Post by Steve French via samba-technical
Fixed. Disabled AES-128GCM. See attached.
Seems to work ok to Windows 3.11 now, and SMB3 tconx is also now
encrypted if "seal" chosen on mount - tried it to Windows 2016 and to
Samba 4.7
Main remaining problem that I see is smb3.11 reconnect (it looks like
we are clearing the hash - but must be missing something)
--
Thanks,
Steve
--
Thanks,

Steve
Steve French via samba-technical
2018-04-22 15:44:59 UTC
Permalink
Needed to add one additional minor change for Samba (samba server
doesn't allow the two byte pad at the end of the negotiate context
that was the result of removing one of the ciphers and returned an
error on SMB311 negprot

I need to add:

diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index 6093e5142b2b..d28f358022c5 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -297,7 +297,7 @@ struct smb2_encryption_neg_context {
__le16 DataLength;
__le32 Reserved;
__le16 CipherCount; /* AES-128-GCM and AES-128-CCM */
- __le16 Ciphers[2]; /* Ciphers[0] since only one used now */
+ __le16 Ciphers[1]; /* Ciphers[0] since only one used now */
} __packed;

struct smb2_negotiate_rsp {
Post by Steve French via samba-technical
Any extra testing would be appreciated of this - I tried to Windows
2016 with and without encrypted share and also to Samba 4.7
Post by Steve French via samba-technical
Fixed. Disabled AES-128GCM. See attached.
Seems to work ok to Windows 3.11 now, and SMB3 tconx is also now
encrypted if "seal" chosen on mount - tried it to Windows 2016 and to
Samba 4.7
Main remaining problem that I see is smb3.11 reconnect (it looks like
we are clearing the hash - but must be missing something)
--
Thanks,
Steve
--
Thanks,
Steve
--
Thanks,

Steve
Steve French via samba-technical
2018-04-22 23:21:41 UTC
Permalink
Version 3 of patch attached (works to Samba and Windows with 3.11)
Post by Steve French via samba-technical
Needed to add one additional minor change for Samba (samba server
doesn't allow the two byte pad at the end of the negotiate context
that was the result of removing one of the ciphers and returned an
error on SMB311 negprot
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index 6093e5142b2b..d28f358022c5 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -297,7 +297,7 @@ struct smb2_encryption_neg_context {
__le16 DataLength;
__le32 Reserved;
__le16 CipherCount; /* AES-128-GCM and AES-128-CCM */
- __le16 Ciphers[2]; /* Ciphers[0] since only one used now */
+ __le16 Ciphers[1]; /* Ciphers[0] since only one used now */
} __packed;
struct smb2_negotiate_rsp {
Post by Steve French via samba-technical
Any extra testing would be appreciated of this - I tried to Windows
2016 with and without encrypted share and also to Samba 4.7
Post by Steve French via samba-technical
Fixed. Disabled AES-128GCM. See attached.
Seems to work ok to Windows 3.11 now, and SMB3 tconx is also now
encrypted if "seal" chosen on mount - tried it to Windows 2016 and to
Samba 4.7
Main remaining problem that I see is smb3.11 reconnect (it looks like
we are clearing the hash - but must be missing something)
--
Thanks,
Steve
--
Thanks,
Steve
--
Thanks,
Steve
--
Thanks,

Steve
Loading...