From patchwork Sun Apr 22 23:21:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 10355949 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D004360231 for ; Sun, 22 Apr 2018 23:22:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B3CF22880F for ; Sun, 22 Apr 2018 23:22:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A843E2897A; Sun, 22 Apr 2018 23:22:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B89528965 for ; Sun, 22 Apr 2018 23:22:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753577AbeDVXWD (ORCPT ); Sun, 22 Apr 2018 19:22:03 -0400 Received: from mail-pg0-f42.google.com ([74.125.83.42]:33207 "EHLO mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753443AbeDVXWC (ORCPT ); Sun, 22 Apr 2018 19:22:02 -0400 Received: by mail-pg0-f42.google.com with SMTP id i194so7068327pgd.0 for ; Sun, 22 Apr 2018 16:22:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K2+5NVjK29pLFPB5DL7SnwnIL7ARvfVhCaDB+lByw78=; b=SdlUSXcwizAWjOOX1KFSKH8us6apwW5qxpsHvKgPZHRilP9ZzwFNK9EUTEafiNqaHV /pABHdEujhstsz5YsTgYuNMVG8x/DGMKrTnq9jkwuqwilJ1rVeYNPwNIc+G2SDJlArIV 5j9xaY2bjr5uOJFE/8J8rljthXICVKVQfrVKDIcKgZqTn+dFfeimyB/NVwsCR4ZrkDM0 7pnnidUE0F47NJct81EFSy65pdh/YRTbUqr0OnxzN5bbqgk9tJk/GW29K6DPH2yUgy2R 4T0kGa0ku0AZu/bjZbjvhpTSWE6FA7hXel4dd3AZFDiFuNTAJFbmOHySXQwtLHCn2RrJ wWfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K2+5NVjK29pLFPB5DL7SnwnIL7ARvfVhCaDB+lByw78=; b=HNJnS5H6xPkmUp2DqYYOI9yiaVdF2QC6tYWQHEB5rwzAblarHCyXw5iYp3/1G2kpKY FnlEsjgrR3PYQqKP21aFjdR0+t58SnMHJcXIKardReE5J3Ay3+B1iioY1lWWwV7Ai1Rx sMDgTDBWsgq+klheSfaOBPVmUeneHMopDGGkfSvKMGnnDjh/t2bgWXzjn7WYh+Vq7xdw 2csbgN/38vNnGODPWPEztfIt2ixADfwwU0GDJEhQQyvYkxf+8cVHS+YRtvPEBlj9K/iE iVUc418j3xGKBgd9h9sYfN0XUGoa+6tPH1MfQ5rwh9c6KxSDqiIEU1X0j3a8q3iyQngM 3krw== X-Gm-Message-State: ALQs6tAsyocN/VcrY7LNijq1a6tbo4arNPA+PLDB1Jz6FKk0Eq0E0f2C Q8VGILLiRDyH9ph24V0ispF3s+mtn7YDWroCPJnfXg== X-Google-Smtp-Source: AIpwx4+nqpdPzOP4dCHZz1SEtvzHX3ZnTttzu2h93qOGZqI8xaY2okCtLcQrhTyk83ha1hCgSUrk3Rcv+jvQRetFhD4= X-Received: by 2002:a17:902:7e05:: with SMTP id b5-v6mr18268045plm.230.1524439322128; Sun, 22 Apr 2018 16:22:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.152.97 with HTTP; Sun, 22 Apr 2018 16:21:41 -0700 (PDT) In-Reply-To: References: From: Steve French Date: Sun, 22 Apr 2018 18:21:41 -0500 Message-ID: Subject: Re: encrypt the tcon itself if seal requested on mount and set encryption support for 3.11 properly To: Pavel Shilovsky , CIFS , samba-technical Cc: Jeremy Allison Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Version 3 of patch attached (works to Samba and Windows with 3.11) On Sun, Apr 22, 2018 at 10:44 AM, Steve French wrote: > Needed to add one additional minor change for Samba (samba server > doesn't allow the two byte pad at the end of the negotiate context > that was the result of removing one of the ciphers and returned an > error on SMB311 negprot > > I need to add: > > diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h > index 6093e5142b2b..d28f358022c5 100644 > --- a/fs/cifs/smb2pdu.h > +++ b/fs/cifs/smb2pdu.h > @@ -297,7 +297,7 @@ struct smb2_encryption_neg_context { > __le16 DataLength; > __le32 Reserved; > __le16 CipherCount; /* AES-128-GCM and AES-128-CCM */ > - __le16 Ciphers[2]; /* Ciphers[0] since only one used now */ > + __le16 Ciphers[1]; /* Ciphers[0] since only one used now */ > } __packed; > > struct smb2_negotiate_rsp { > sfrench@Ubuntu-17-Virtual-Ma > > On Sat, Apr 21, 2018 at 12:04 PM, Steve French wrote: >> Any extra testing would be appreciated of this - I tried to Windows >> 2016 with and without encrypted share and also to Samba 4.7 >> >> On Fri, Apr 20, 2018 at 11:55 PM, Steve French wrote: >>> On Fri, Apr 20, 2018 at 7:14 PM, Pavel Shilovsky wrote: >>>> Looks good. Please also fix the encryption negotiate context: >>> >>> Fixed. Disabled AES-128GCM. See attached. >>> >>> Seems to work ok to Windows 3.11 now, and SMB3 tconx is also now >>> encrypted if "seal" chosen on mount - tried it to Windows 2016 and to >>> Samba 4.7 >>> >>> Main remaining problem that I see is smb3.11 reconnect (it looks like >>> we are clearing the hash - but must be missing something) >>> -- >>> Thanks, >>> >>> Steve >> >> >> >> -- >> Thanks, >> >> Steve > > > > -- > Thanks, > > Steve From 0d5efcd4fa736ff71a4dc6b894b70323222df796 Mon Sep 17 00:00:00 2001 From: Steve French Date: Sun, 22 Apr 2018 15:14:58 -0500 Subject: [PATCH 42/42] SMB3: Fix 3.11 encryption to Windows and handle encrypted smb3 tcon Temporarily disable AES-GCM, as AES-CCM is only currently enabled mechanism on client side. This fixes SMB3.11 encrypted mounts to Windows. Also the tree connect request itself should be encrypted if requested encryption ("seal" on mount), in addition we should be enabling encryption in 3.11 based on whether we got any valid encryption ciphers back in negprot (the corresponding session flag is not set as it is in 3.0 and 3.02) Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky CC: Stable --- fs/cifs/connect.c | 32 ++++++++++++++++---------------- fs/cifs/smb2pdu.c | 9 +++++---- fs/cifs/smb2pdu.h | 2 +- 3 files changed, 22 insertions(+), 21 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index e8830f076a7f..a5aa158d535a 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2959,6 +2959,22 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info) } } + if (volume_info->seal) { + if (ses->server->vals->protocol_id == 0) { + cifs_dbg(VFS, + "SMB3 or later required for encryption\n"); + rc = -EOPNOTSUPP; + goto out_fail; + } else if (tcon->ses->server->capabilities & + SMB2_GLOBAL_CAP_ENCRYPTION) + tcon->seal = true; + else { + cifs_dbg(VFS, "Encryption is not supported on share\n"); + rc = -EOPNOTSUPP; + goto out_fail; + } + } + /* * BB Do we need to wrap session_mutex around this TCon call and Unix * SetFS as we do on SessSetup and reconnect? @@ -3007,22 +3023,6 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info) tcon->use_resilient = true; } - if (volume_info->seal) { - if (ses->server->vals->protocol_id == 0) { - cifs_dbg(VFS, - "SMB3 or later required for encryption\n"); - rc = -EOPNOTSUPP; - goto out_fail; - } else if (tcon->ses->server->capabilities & - SMB2_GLOBAL_CAP_ENCRYPTION) - tcon->seal = true; - else { - cifs_dbg(VFS, "Encryption is not supported on share\n"); - rc = -EOPNOTSUPP; - goto out_fail; - } - } - /* * We can have only one retry value for a connection to a share so for * resources mounted more than once to the same server share the last diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 0f044c4a2dc9..9aea138dd71f 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -383,10 +383,10 @@ static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt) { pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES; - pneg_ctxt->DataLength = cpu_to_le16(6); - pneg_ctxt->CipherCount = cpu_to_le16(2); - pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM; - pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM; + pneg_ctxt->DataLength = cpu_to_le16(4); /* Cipher Count + le16 cipher */ + pneg_ctxt->CipherCount = cpu_to_le16(1); +/* pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;*/ /* not supported yet */ + pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_CCM; } static void @@ -444,6 +444,7 @@ static int decode_encrypt_ctx(struct TCP_Server_Info *server, return -EINVAL; } server->cipher_type = ctxt->Ciphers[0]; + server->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; return 0; } diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h index 6093e5142b2b..d28f358022c5 100644 --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h @@ -297,7 +297,7 @@ struct smb2_encryption_neg_context { __le16 DataLength; __le32 Reserved; __le16 CipherCount; /* AES-128-GCM and AES-128-CCM */ - __le16 Ciphers[2]; /* Ciphers[0] since only one used now */ + __le16 Ciphers[1]; /* Ciphers[0] since only one used now */ } __packed; struct smb2_negotiate_rsp { -- 2.14.1