[PATCH] smb encrypt - new value desired

Guenther Deschner gd at samba.org
Tue Jul 7 20:11:07 CEST 2015


Hi,

I would - for now - only push the 1st patch to avoid a vfs version bump.
We discussed plans to redo some of that anyways later for master where
we can reconsider this.

Just my RB+ and two cents and pushing the 1st patch now :)

Guenther

On 07/07/15 17:26, Michael Adam wrote:
> Thanks!
> 
> The patches have just landed.
> 
> I found one more case of SMB_SIGNING_DESIRED
> not treated in a case.
> 
> Patch to fix this is attached.
> 
> The reason was that the type of encrypt_level
> in the connection_struct is just an int, not
> the appropriate enum.
> 
> The second attached patch changes this to the enum.
> But I am not sure about that: Does this entail a
> version bump of our vfs?
> 
> Comments/review/push appreciated!
> 
> Cheers - Michael
> 
> On 2015-07-07 at 13:01 +0200, Guenther Deschner wrote:
>> Hi Michael,
>>
>> LGTM. RB+ and pushed to autobuild.
>>
>> Thanks,
>> Guenther
>>
>> On 07/07/15 01:04, Michael Adam wrote:
>>> On 2015-07-02 at 15:32 +0200, Michael Adam wrote:
>>>> On 2015-07-01 at 23:29 +0200, Michael Adam wrote:
>>>>> On 2015-07-01 at 18:22 +0200, Michael Adam wrote:
>>>>>> On 2015-07-01 at 16:30 +0200, Michael Adam wrote:
>>>>>>>
>>>>>>> Update:
>>>>>>>
>>>>>>> The difference in behaviour is in treating a 'disobedient'
>>>>>>> client that does not send encrypted requests although we
>>>>>>> (the server) send ENCRYPT_DATA in tree connect or session
>>>>>>> setup response.
>>>>>>>
>>>>>>> I just tested against windows.
>>>>>>> Windows is generous in that it permits unencrypted request
>>>>>>> packets, but sends encrypted responses.
>>>>>>>
>>>>>>> With the proposed patch we would be less generous and
>>>>>>> deny unecrypted requests after having sent ENCRYPT_DATA.
>>>>>>>
>>>>>>> With Metze's proposed change, we would accept unencrypted
>>>>>>> requests but without further changes send unencrypted
>>>>>>> responses to those.
>>>>>>>
>>>>>>> I'll see what I can do regarding this last approach to
>>>>>>> match windows behaviour more exactly...
>>>>>>
>>>>>> Attached find an updated patchset that implements the
>>>>>> exact windows behaviour described above.
>>>>>> It is not sooo big after all. Maybe we can take and
>>>>>> backport it.
>>>>>>
>>>>>> Feedback/Review welcome!
>>>>>
>>>>> Oh, apparently it is not complete yet. :-/
>>>>> Some tests fail with this patchset.
>>>>
>>>> Attached is the new version of this patchset.
>>>> It now survives all smb2 related tests.
>>>> I am currently running a full autobuild for verification.
>>>>
>>>> The only issue that needs resolution is the
>>>> addition of encryption desired to
>>>> smbXsrv_session->global and smbXsrv_tcon->global.
>>>> Currently I have inserted them in the logically
>>>> best place (imho), but with respect to alignment
>>>> and structure size we may need another solution.
>>>>
>>>> Apart from this, I think the patchset should be good.
>>>
>>> Attached is the (hopefully final) updated patchset.
>>> It fixes the abovementioned issue by putting the
>>> encryption_desired variable not into smbXsrv_session|tcon->global
>>> but into smbXsrv_session|tcon directly so that it
>>> does not get marshalled and put to disk.
>>>
>>> Review/comments welcome.
>>>
>>> Michael
>>>
>>
>>
>> -- 
>> Günther Deschner                    GPG-ID: 8EE11688
>> Red Hat                         gdeschner at redhat.com
>> Samba Team                              gd at samba.org


-- 
Guenther Deschner
Pestalozzistr. 39
D-13187 Berlin


More information about the samba-technical mailing list