[PATCH] Reuse of nonces patch breaks SMB3.0 connections without encryption.

Stefan (metze) Metzmacher metze at samba.org
Wed Jun 17 00:43:13 MDT 2015


Hi Jeremy,

> From a400e74f6f2195cd14386aeb684a571c55c9f535 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Tue, 16 Jun 2015 15:50:30 -0700
> Subject: [PATCH] smbd: Fix clients connecting unencrypted with
>  PROTOCOL_SMB2_24 or higher.
> 
> Nonce code was terminating connections where xconn->smb2.server.cipher == 0.
> 
> If no negotiated cipher (smb2.server.cipher is zero) set nonce_high_max to zero and
> return NT_STATUS_ENCRYPTION_FAILED if smb2_get_new_nonce() is ever called with
> session->nonce_high_max == 0.
> 
> Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300
> 
> Signed-off-by: Jeremy Allison <jra at samba.org>
> ---
>  source3/smbd/smb2_server.c    | 4 ++++
>  source3/smbd/smb2_sesssetup.c | 4 ++--
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
> index a8d54cb..c4f7c67 100644
> --- a/source3/smbd/smb2_server.c
> +++ b/source3/smbd/smb2_server.c
> @@ -1465,6 +1465,10 @@ static NTSTATUS smb2_get_new_nonce(struct smbXsrv_session *session,
>  	uint64_t nonce_high;
>  	uint64_t nonce_low;
>  
> +	if (session->nonce_high_max == 0) {
> +		return NT_STATUS_ENCRYPTION_FAILED;
> +	}
> +

We don't need that we already have

        if (session->nonce_high >= session->nonce_high_max) {
                return NT_STATUS_ENCRYPTION_FAILED;
        }

Which will trigger if session->nonce_high_max is 0.

>  	session->nonce_low += 1;
>  	if (session->nonce_low == 0) {
>  		session->nonce_low += 1;
> diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
> index 3e80da8..da7adb3 100644
> --- a/source3/smbd/smb2_sesssetup.c
> +++ b/source3/smbd/smb2_sesssetup.c
> @@ -372,8 +372,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
>  			nonce_size = AES_GCM_128_IV_SIZE;
>  			break;
>  		default:
> -			ZERO_STRUCT(session_key);
> -			return NT_STATUS_INVALID_PARAMETER;
> +			nonce_size = 0;
> +			break;
>  		}
>  		x->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
>  		x->nonce_high = 0;

That look good.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150617/91c37d43/attachment.pgp>


More information about the samba-technical mailing list