From patchwork Sat Apr 21 04:55:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 10353955 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6F562601E7 for ; Sat, 21 Apr 2018 04:56:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5057F28807 for ; Sat, 21 Apr 2018 04:56:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 432E3288FA; Sat, 21 Apr 2018 04:56:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BFED828807 for ; Sat, 21 Apr 2018 04:56:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750805AbeDUE4D (ORCPT ); Sat, 21 Apr 2018 00:56:03 -0400 Received: from mail-pl0-f52.google.com ([209.85.160.52]:41520 "EHLO mail-pl0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750798AbeDUE4D (ORCPT ); Sat, 21 Apr 2018 00:56:03 -0400 Received: by mail-pl0-f52.google.com with SMTP id bj1-v6so6302342plb.8 for ; Fri, 20 Apr 2018 21:56:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MNaUTJqhiMgIFX7f3teTll0CxWjiSid6W3VZnbCZFM0=; b=tKmc1gP7o/+T0CHLXukQQ4pC7aX2SVt37c168ZW1eyx1IY2nmrKKTRhsZJI5aY+lUz zoEeh5HUncsVL8mCz9jq4xHbWkMwbi+nAFiawEVXdbVkFBuyIrnhcmJRlpJY03+khlY0 NbDhBbPBWwkYTd9bXUNEhCvQ0cbIJgCXy45KleMyCWkwoGQqw65uVgpoeYmRMH8yIoqa ZAXlFIJzw5JYjajqr/I/8o+8mVlzWXPsOqkEzsfhecKSva9vwffzeAZ4Mi2j1vdsEeQF FO5VFP7qMNeXMgDLHG+F+ILqTwtxdvOa0zhKBeBG2JCqoMy82RGQfnC1R+TcKAEkq4fL XXIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MNaUTJqhiMgIFX7f3teTll0CxWjiSid6W3VZnbCZFM0=; b=MUr/ErQx1SP0P6NJ8+AcuQ9F6Z4KVuq9FUhQaae09W5MxPX5W9Uh3vvbQajGoTKRzC j/kI7vYnitI1y7apBIfKfjuW0tG1XRbP/YCeJucJ1NqOF3IQanLEjbK2XMKBZutrsKiS neFWwnQTuoGYCrnjIafGgtHr8hrKGiBHufkQqagTAgdbnwZFrM3rd9MQ9Kp1mO5z8FXT q8ixuOaWgLSmzYEHu8+aIiCSioJHuhozR1gH228da1iGCcg+xx3MPab0zFmKvIoyVXZw FRWWyobb9/6pzTLNgPC1LuclvFrd/chHwhIMb22ONA0TKcJ/XwsWMbKCrLXExjo8oP3D +nFw== X-Gm-Message-State: ALQs6tB3aybER0tuReOJR7Ok4Izc2UAnoFiPo1j9ijXC5JIHozm0yBgT YxfGbCeyxo0uvZghxZY85QhDHzCF387bPHHUZ2g= X-Google-Smtp-Source: AIpwx48Z9XRhDMcAMnYchJDoiai1JnaEPIi4emlZ+LzgpASEpWnLu/AEI2yFNCpFutIQS8UL9WkGC3QgVi9DE1uxXRw= X-Received: by 2002:a17:902:43:: with SMTP id 61-v6mr12786292pla.112.1524286562257; Fri, 20 Apr 2018 21:56:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.152.97 with HTTP; Fri, 20 Apr 2018 21:55:41 -0700 (PDT) In-Reply-To: References: From: Steve French Date: Fri, 20 Apr 2018 23:55:41 -0500 Message-ID: Subject: Re: encrypt the tcon itself if seal requested on mount and set encryption support for 3.11 properly To: Pavel Shilovsky , CIFS , samba-technical Cc: Jeremy Allison Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Fri, Apr 20, 2018 at 7:14 PM, Pavel Shilovsky wrote: > Looks good. Please also fix the encryption negotiate context: Fixed. Disabled AES-128GCM. See attached. Seems to work ok to Windows 3.11 now, and SMB3 tconx is also now encrypted if "seal" chosen on mount - tried it to Windows 2016 and to Samba 4.7 Main remaining problem that I see is smb3.11 reconnect (it looks like we are clearing the hash - but must be missing something) From 4bd6478ff8f0d0fa75f69c8edbc3535aa6de357d Mon Sep 17 00:00:00 2001 From: Steve French Date: Fri, 20 Apr 2018 23:44:48 -0500 Subject: [PATCH] SMB3: Fix 3.11 encryption to Windows and handle encrypted smb3 tcon Temporarily disable AES-GCM, as AES-CCM is only currently enabled mechanism on client side. This fixes SMB3.11 encrypted mounts to Windows. Also the tree connect request itself should be encrypted if requested encryption ("seal" on mount), in addition we should be enabling encryption in 3.11 based on whether we got any valid encryption ciphers back in negprot (the corresponding session flag is not set as it is in 3.0 and 3.02) Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky CC: Stable --- fs/cifs/connect.c | 32 ++++++++++++++++---------------- fs/cifs/smb2pdu.c | 9 +++++---- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index e8830f076a7f..a5aa158d535a 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2959,6 +2959,22 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info) } } + if (volume_info->seal) { + if (ses->server->vals->protocol_id == 0) { + cifs_dbg(VFS, + "SMB3 or later required for encryption\n"); + rc = -EOPNOTSUPP; + goto out_fail; + } else if (tcon->ses->server->capabilities & + SMB2_GLOBAL_CAP_ENCRYPTION) + tcon->seal = true; + else { + cifs_dbg(VFS, "Encryption is not supported on share\n"); + rc = -EOPNOTSUPP; + goto out_fail; + } + } + /* * BB Do we need to wrap session_mutex around this TCon call and Unix * SetFS as we do on SessSetup and reconnect? @@ -3007,22 +3023,6 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info) tcon->use_resilient = true; } - if (volume_info->seal) { - if (ses->server->vals->protocol_id == 0) { - cifs_dbg(VFS, - "SMB3 or later required for encryption\n"); - rc = -EOPNOTSUPP; - goto out_fail; - } else if (tcon->ses->server->capabilities & - SMB2_GLOBAL_CAP_ENCRYPTION) - tcon->seal = true; - else { - cifs_dbg(VFS, "Encryption is not supported on share\n"); - rc = -EOPNOTSUPP; - goto out_fail; - } - } - /* * We can have only one retry value for a connection to a share so for * resources mounted more than once to the same server share the last diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 0f044c4a2dc9..9aea138dd71f 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -383,10 +383,10 @@ static void build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt) { pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES; - pneg_ctxt->DataLength = cpu_to_le16(6); - pneg_ctxt->CipherCount = cpu_to_le16(2); - pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM; - pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM; + pneg_ctxt->DataLength = cpu_to_le16(4); /* Cipher Count + le16 cipher */ + pneg_ctxt->CipherCount = cpu_to_le16(1); +/* pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;*/ /* not supported yet */ + pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_CCM; } static void @@ -444,6 +444,7 @@ static int decode_encrypt_ctx(struct TCP_Server_Info *server, return -EINVAL; } server->cipher_type = ctxt->Ciphers[0]; + server->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; return 0; } -- 2.14.1