2018-04-20 15:11 GMT-07:00 Steve French via samba-technical
<samba-technical@xxxxxxxxxxxxxxx>:
> This patch doesn't fix all the problems (mount with 3.11 and "seal"
> fails presumably because the validate negotiate like hash for the
> signature is not attached to the tcon the right way - signing is
> usually disabled when encryption is enabled).
>
> Should the signature be also included in the frame even if the tcon is
> encryption in SMB3.11?
>
>
> --
> Thanks,
>
> Steve
Looks good. Please also fix the encryption negotiate context:
static void
build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt)
{
pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES;
pneg_ctxt->DataLength = cpu_to_le16(6);
pneg_ctxt->CipherCount = cpu_to_le16(2);
pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;
pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;
}
as we currently do not support AES128_GCM encryption. This is probably
why mount fails.
The SMB3 encryption includes signing, so, I think SMB2 header
signature may be omitted in validate negotiate if encryption is used.
We need to check if the current code works with CCM encryption for SMB
3.0 because there was a stable patch "Validate negotiate request mush
always be signed" that changed the behavior of validate negotiate
request.
Best regards,
Pavel Shilovsky
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
