[cifs-protocol] [REG: 112082770583609] SMB3 encryption and ECHO command

Edgar Olougouna edgaro at microsoft.com
Mon Sep 3 13:41:57 MDT 2012 

Metze,

As specified in 2.2.1.1 and 2.2.1.2, the ECHO command does not require a SessionId.  
- If the client sends a non-encrypted ECHO, Windows 8 server will respond with a non-encrypted response.
- More broadly, if the client encrypts any request (including an ECHO), Windows 8 server responds in-kind by encrypting the response.  

A future update to MS-SMB2 will reflect that if the client encrypts any request on an encrypted channel, the server will also encrypt the response.

Regards,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Monday, August 27, 2012 4:04 PM
To: Stefan (metze) Metzmacher
Cc: cifs-protocol at cifs.org
Subject: [REG: 112082770583609] SMB3 encryption and ECHO command

Metze,
While investigating this, I also opened a separate case (112082770583609) for the ECHO command.
A document bug has been opened to clarify SMB3 encryption regarding the ECHO command.

Regards,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Thursday, August 23, 2012 3:06 PM
To: 'Stefan (metze) Metzmacher'
Cc: pfif at tridgell.net; cifs-protocol at cifs.org
Subject: RE: [REG:112080864018345] SMB3 encryption over multiple requests

Metze,

In order to track document bugs properly, I will be following up on these new questions in two separate cases. I will start a new thread for each case:
112082370902333 SMB3 encryption of SESSION_SETUP (for reauth/or channel binding) and TREE_CONNECT
112082371227089 SMB3 encryption and Oplock/Lease break notifications

Thanks,
Edgar

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Wednesday, August 22, 2012 9:19 AM
To: Edgar Olougouna
Cc: pfif at tridgell.net; cifs-protocol at cifs.org
Subject: Re: [REG:112080864018345] SMB3 encryption over multiple requests

Hi Edgar,

thanks for the answers, I have some more questions inline.

> What about async responses with STATUS_PENDING, are they also encrypted?
> 
> [Answer] 
> Yes. The exceptions that are not encrypted are SMB2 NEGOTIATE, SMB2 SESSION_SETUP or SMB2 TREE_CONNECT as documented in 3.2.4.1.8   Encrypting the Message, 3.3.4.1.4   Encrypting the Message.

Windows doesn't complain if the client encrypt SESSION_SETUP (for reauth/or channel bind) and TREE_CONNECTS.

> How does it work, when the last request in a compound chain goes async?
> 
> [Answer]
> There is no change of processing rules for the encryption due to the last request in a compounded chain going async. 
>  
> Are Oplock/Lease Break Notifications encrypted?
> 
> [Answer] Yes, see previous answer and references.

For Oplocks the server known the session from the file_id, but what session is used for leases?

To my understanding a lease key can be shared between sessions, is that correct?

metze

More information about the cifs-protocol mailing list