It is not entirely clear in the spec, but I think you might want to check session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA instead. I will try to test this tomorrow. If not, and your tests work for all your tests then a reviewed-by: Ronnie sahlberg <lsahlber@xxxxxxxxxx> ----- Original Message ----- From: "Steve French" <smfrench@xxxxxxxxx> To: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx> Cc: "CIFS" <linux-cifs@xxxxxxxxxxxxxxx>, "Aurélien Aptel" <aaptel@xxxxxxxx> Sent: Monday, 5 March, 2018 5:16:45 PM Subject: Re: SMB3.11 security fixes Those are good points - but may be tricky to test the latter. On Mon, Mar 5, 2018 at 12:08 AM, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote: > Two nits > > 1, maybe change the conditional to check for >= 3.1.1 instead of == 3.1.1 > (since it is unlikely this requirement will revert back once we have > later versions of smb3.) > > 2, 3.2.4.1.1 says signing must be used IF the session has > EncryptData==False, but that is not what the code checks for. > It checks for is !guest user. Is that the right check? > (guest can never have encrypted sessions but !guest can have > not-encrypted sessions.) > > > > > > > On Sun, Mar 4, 2018 at 8:12 AM, Steve French <smfrench@xxxxxxxxx> wrote: >> Proposed fix for the SMB3.11 (non-mandatory signing) case. >> >> See MS-SMB2 3.2.4.1.1 >> >> On Sat, Mar 3, 2018 at 3:08 PM, Steve French <smfrench@xxxxxxxxx> wrote: >>> SMB3.11 signing now works, thanks to Aurelien's patches (it had >>> already worked as guest, but not as a regular user). >>> >>> It needs one minor fix (to send the signature on SMB3.11 tcon) to fix >>> the non-signing case. Am testing that now, but getting SMB3.11 >>> signing working is a big step and important for security. >>> >>> -- >>> Thanks, >>> >>> Steve >> >> >> >> -- >> Thanks, >> >> Steve -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
