RE: SMB3.11 security fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I guess, but in that case I'd still suggest to look at whether the client *can* sign,
rather than test these bits. IOW if there's a signing key, use it, otherwise fail locally
and not even attempt the tcon. It would violate the protocol otherwise.

Tom.

> -----Original Message-----
> From: Steve French <smfrench@xxxxxxxxx>
> Sent: Thursday, March 8, 2018 7:51 AM
> To: Tom Talpey <ttalpey@xxxxxxxxxxxxx>
> Cc: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>; Ronnie Sahlberg
> <lsahlber@xxxxxxxxxx>; CIFS <linux-cifs@xxxxxxxxxxxxxxx>; Aurélien Aptel
> <aaptel@xxxxxxxx>
> Subject: Re: SMB3.11 security fixes
> 
> Presumably we also need to test if the client thinks it is unsignable
> (session is guest) rather than if the server reports it authenticated
> as guest?
> 
> On Thu, Mar 8, 2018 at 7:45 AM, Tom Talpey <ttalpey@xxxxxxxxxxxxx> wrote:
> > This will work, but the SESSION_IS_NULL and SESSION_IS_GUEST tests are not
> > really needed. These two flags in the negotiate response  are somewhat
> advisory
> > from the server, and may or may not reflect the client's view. Also, it's
> strongly
> > recommended that servers not allow anonymous or guest auth, so wiring
> these
> > tests into the client implementation seems unwise.
> >
> > For your purpose, it seems that simply testing dialect and
> FLAG_ENCRYPT_DATA
> > would do the trick here. If the flag is set, NULL or guest auth cannot possibly
> be
> > in force.
> >
> > Tom.
> >
> >> -----Original Message-----
> >> From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
> >> Sent: Wednesday, March 7, 2018 7:21 PM
> >> To: Tom Talpey <ttalpey@xxxxxxxxxxxxx>
> >> Cc: Ronnie Sahlberg <lsahlber@xxxxxxxxxx>; Steve French
> >> <smfrench@xxxxxxxxx>; CIFS <linux-cifs@xxxxxxxxxxxxxxx>; Aurélien Aptel
> >> <aaptel@xxxxxxxx>
> >> Subject: Re: SMB3.11 security fixes
> >>
> >> On Tue, Mar 6, 2018 at 2:08 AM, Tom Talpey <ttalpey@xxxxxxxxxxxxx>
> wrote:
> >> >> -----Original Message-----
> >> >> From: linux-cifs-owner@xxxxxxxxxxxxxxx <linux-cifs-
> owner@xxxxxxxxxxxxxxx>
> >> On
> >> >> Behalf Of Ronnie Sahlberg
> >> >> Sent: Sunday, March 4, 2018 10:41 PM
> >> >> To: Steve French <smfrench@xxxxxxxxx>
> >> >> Cc: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>; CIFS <linux-
> >> >> cifs@xxxxxxxxxxxxxxx>; Aurélien Aptel <aaptel@xxxxxxxx>
> >> >> Subject: Re: SMB3.11 security fixes
> >> >>
> >> >> It is not entirely clear in the spec,  but I think you might want to check
> >> >> session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA instead.
> >> >
> >> > The reason for the "don't sign if encrypted" rule is because the SMB3
> >> encryption
> >> > algorithms provide integrity protection. And yes, guest accounts provide
> no
> >> > secrets, therefore no keys so encryption is not possible. So these are two
> very
> >> > different cases.
> >>
> >> Ok, so then the check should look something like this ?
> >>
> >> + /* 3.11 tcon req must be signed when encryption is not used for all
> >> authenticated users. See MS-SMB2 3.2.4.1.1 */
> >> + if ((ses->server->dialect >= SMB311_PROT_ID) &&
> >> +    !(ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
> >> +    !(ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
> >> +    !(ses->session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA))
> >> + req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
> >> +
> >>
> >> >
> >> > If something's not clear in the document, definitely let us know and
> >> > we'll consider clarifying.
> >> >
> >> > Tom.
> >> >
> >> >>
> >> >> I will try to test this tomorrow.  If not, and your tests work for all your
> tests
> >> >> then a reviewed-by: Ronnie sahlberg <lsahlber@xxxxxxxxxx>
> >> >>
> >> >>
> >> >>
> >> >> ----- Original Message -----
> >> >> From: "Steve French" <smfrench@xxxxxxxxx>
> >> >> To: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
> >> >> Cc: "CIFS" <linux-cifs@xxxxxxxxxxxxxxx>, "Aurélien Aptel"
> >> <aaptel@xxxxxxxx>
> >> >> Sent: Monday, 5 March, 2018 5:16:45 PM
> >> >> Subject: Re: SMB3.11 security fixes
> >> >>
> >> >> Those are good points - but may be tricky to test the latter.
> >> >>
> >> >> On Mon, Mar 5, 2018 at 12:08 AM, ronnie sahlberg
> >> >> <ronniesahlberg@xxxxxxxxx> wrote:
> >> >> > Two nits
> >> >> >
> >> >> > 1, maybe change the conditional to check for >= 3.1.1 instead of ==
> 3.1.1
> >> >> > (since it is unlikely this requirement will revert back once we have
> >> >> > later versions of smb3.)
> >> >> >
> >> >> > 2, 3.2.4.1.1 says signing must be used IF the session has
> >> >> > EncryptData==False, but that is not what the code checks for.
> >> >> > It checks for is !guest user. Is that the right check?
> >> >> > (guest can never have encrypted sessions  but !guest can have
> >> >> > not-encrypted sessions.)
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Sun, Mar 4, 2018 at 8:12 AM, Steve French <smfrench@xxxxxxxxx>
> >> >> wrote:
> >> >> >> Proposed fix for the SMB3.11 (non-mandatory signing) case.
> >> >> >>
> >> >> >> See MS-SMB2 3.2.4.1.1
> >> >> >>
> >> >> >> On Sat, Mar 3, 2018 at 3:08 PM, Steve French <smfrench@xxxxxxxxx>
> >> >> wrote:
> >> >> >>> SMB3.11 signing now works, thanks to Aurelien's patches (it had
> >> >> >>> already worked as guest, but not as a regular user).
> >> >> >>>
> >> >> >>> It needs one minor fix (to send the signature on SMB3.11 tcon) to fix
> >> >> >>> the non-signing case.  Am testing that now, but getting SMB3.11
> >> >> >>> signing working is a big step and important for security.
> >> >> >>>
> >> >> >>> --
> >> >> >>> Thanks,
> >> >> >>>
> >> >> >>> Steve
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Thanks,
> >> >> >>
> >> >> >> Steve
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Thanks,
> >> >>
> >> >> Steve
> >> >> --
> >> >> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> >> >> the body of a message to majordomo@xxxxxxxxxxxxxxx
> >> >> More majordomo info at
> >> >>
> >>
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kerne
> >> >> l.org%2Fmajordomo-
> >> >>
> >>
> info.html&data=04%7C01%7Cttalpey%40microsoft.com%7Ce7d08b64d72b403
> >> >>
> >>
> 179bd08d582640e7f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C
> >> >>
> >>
> 636558288607416690%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> >> >> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-
> >> >>
> >>
> 2&sdata=3ffZ1CqcsH97D3tfeU7Qca9%2B4GBqCSbR7jj5nef%2FQDY%3D&reser
> >> >> ved=0
> >> >> --
> >> >> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> >> >> the body of a message to majordomo@xxxxxxxxxxxxxxx
> >> >> More majordomo info at
> >> >>
> >>
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kerne
> >> >> l.org%2Fmajordomo-
> >> >>
> >>
> info.html&data=04%7C01%7Cttalpey%40microsoft.com%7Ce7d08b64d72b403
> >> >>
> >>
> 179bd08d582640e7f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C
> >> >>
> >>
> 636558288607416690%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> >> >> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-
> >> >>
> >>
> 2&sdata=3ffZ1CqcsH97D3tfeU7Qca9%2B4GBqCSbR7jj5nef%2FQDY%3D&reser
> >> >> ved=0
> 
> 
> 
> --
> Thanks,
> 
> Steve
��.n��������+%������w��{.n�����{�����ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux