Commit 83912d6d authored by Marcos Del Sol Vives's avatar Marcos Del Sol Vives Committed by Steve French

ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1

According to the official Microsoft MS-SMB2 document section 3.3.5.4, this
flag should be used only for 3.0 and 3.0.2 dialects. Setting it for 3.1.1
is a violation of the specification.

This causes my Windows 10 client to detect an anomaly in the negotiation,
and disable encryption entirely despite being explicitly enabled in ksmbd,
causing all data transfers to go in plain text.

Fixes: e2f34481 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org # v5.15
Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarMarcos Del Sol Vives <marcos@orca.pet>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent f2e78aff
...@@ -271,9 +271,6 @@ int init_smb3_11_server(struct ksmbd_conn *conn) ...@@ -271,9 +271,6 @@ int init_smb3_11_server(struct ksmbd_conn *conn)
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
if (conn->cipher_type)
conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
......
...@@ -915,6 +915,25 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn, ...@@ -915,6 +915,25 @@ static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
} }
} }
/**
* smb3_encryption_negotiated() - checks if server and client agreed on enabling encryption
* @conn: smb connection
*
* Return: true if connection should be encrypted, else false
*/
static bool smb3_encryption_negotiated(struct ksmbd_conn *conn)
{
if (!conn->ops->generate_encryptionkey)
return false;
/*
* SMB 3.0 and 3.0.2 dialects use the SMB2_GLOBAL_CAP_ENCRYPTION flag.
* SMB 3.1.1 uses the cipher_type field.
*/
return (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) ||
conn->cipher_type;
}
static void decode_compress_ctxt(struct ksmbd_conn *conn, static void decode_compress_ctxt(struct ksmbd_conn *conn,
struct smb2_compression_capabilities_context *pneg_ctxt) struct smb2_compression_capabilities_context *pneg_ctxt)
{ {
...@@ -1469,8 +1488,7 @@ static int ntlm_authenticate(struct ksmbd_work *work) ...@@ -1469,8 +1488,7 @@ static int ntlm_authenticate(struct ksmbd_work *work)
(req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
sess->sign = true; sess->sign = true;
if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION && if (smb3_encryption_negotiated(conn) &&
conn->ops->generate_encryptionkey &&
!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
rc = conn->ops->generate_encryptionkey(sess); rc = conn->ops->generate_encryptionkey(sess);
if (rc) { if (rc) {
...@@ -1559,8 +1577,7 @@ static int krb5_authenticate(struct ksmbd_work *work) ...@@ -1559,8 +1577,7 @@ static int krb5_authenticate(struct ksmbd_work *work)
(req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
sess->sign = true; sess->sign = true;
if ((conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) && if (smb3_encryption_negotiated(conn)) {
conn->ops->generate_encryptionkey) {
retval = conn->ops->generate_encryptionkey(sess); retval = conn->ops->generate_encryptionkey(sess);
if (retval) { if (retval) {
ksmbd_debug(SMB, ksmbd_debug(SMB,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment