Ronnie Sahlberg <lsahlber@xxxxxxxxxx> writes:
> Fix Guest/Anonymous sessions so that they work with SMB 3.11.
>
> In git commit 6188f28 tightened the conditions and forced signing for
> the SMB2-TreeConnect commands as per MS-SMB2.
We could add a
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for non-encrypted shares")
tag in the commit message.
>
> - /* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1 */
> + /*
> + * 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
> + * unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1
> + */
> if ((ses->server->dialect == SMB311_PROT_ID) &&
> - !smb3_encryption_required(tcon))
> + !smb3_encryption_required(tcon) &&
> + !(ses->session_flags & (SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))
> req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>
> memset(&rqst, 0, sizeof(struct smb_rqst));
I suspect there might more (and/or better) places to check. If you grep for
SMB2_FLAGS_SIGNED there are a couple of other places that should be
considered:
smb2_hdr_assemble() { ...
if (tcon->ses && tcon->ses->server && tcon->ses->server->sign &&
!smb3_encryption_required(tcon))
shdr->Flags |= SMB2_FLAGS_SIGNED;
...
}
cifs_get_smb_ses() { ...
ses->sectype = volume_info->sectype;
ses->sign = volume_info->sign;
mutex_lock(&ses->session_mutex);
rc = cifs_negotiate_protocol(xid, ses);
if (!rc)
rc = cifs_setup_session(xid, ses, volume_info->local_nls);
mutex_unlock(&ses->session_mutex);
if (rc)
goto get_ses_fail;
...
}
After negprot and before sess setup we already know the protocol version so I guess there
could be some patch there as well.
See also SMB2_logoff(), SMB2_ioctl_init(), cifs_enable_signing()
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
