[PATCH] Reuse of nonces patch breaks SMB3.0 connections without encryption.
Stefan (metze) Metzmacher
metze at samba.org
Wed Jun 17 00:43:13 MDT 2015
Hi Jeremy,
> From a400e74f6f2195cd14386aeb684a571c55c9f535 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Tue, 16 Jun 2015 15:50:30 -0700
> Subject: [PATCH] smbd: Fix clients connecting unencrypted with
> PROTOCOL_SMB2_24 or higher.
>
> Nonce code was terminating connections where xconn->smb2.server.cipher == 0.
>
> If no negotiated cipher (smb2.server.cipher is zero) set nonce_high_max to zero and
> return NT_STATUS_ENCRYPTION_FAILED if smb2_get_new_nonce() is ever called with
> session->nonce_high_max == 0.
>
> Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> ---
> source3/smbd/smb2_server.c | 4 ++++
> source3/smbd/smb2_sesssetup.c | 4 ++--
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
> index a8d54cb..c4f7c67 100644
> --- a/source3/smbd/smb2_server.c
> +++ b/source3/smbd/smb2_server.c
> @@ -1465,6 +1465,10 @@ static NTSTATUS smb2_get_new_nonce(struct smbXsrv_session *session,
> uint64_t nonce_high;
> uint64_t nonce_low;
>
> + if (session->nonce_high_max == 0) {
> + return NT_STATUS_ENCRYPTION_FAILED;
> + }
> +
We don't need that we already have
if (session->nonce_high >= session->nonce_high_max) {
return NT_STATUS_ENCRYPTION_FAILED;
}
Which will trigger if session->nonce_high_max is 0.
> session->nonce_low += 1;
> if (session->nonce_low == 0) {
> session->nonce_low += 1;
> diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
> index 3e80da8..da7adb3 100644
> --- a/source3/smbd/smb2_sesssetup.c
> +++ b/source3/smbd/smb2_sesssetup.c
> @@ -372,8 +372,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
> nonce_size = AES_GCM_128_IV_SIZE;
> break;
> default:
> - ZERO_STRUCT(session_key);
> - return NT_STATUS_INVALID_PARAMETER;
> + nonce_size = 0;
> + break;
> }
> x->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
> x->nonce_high = 0;
That look good.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150617/91c37d43/attachment.pgp>
More information about the samba-technical
mailing list