encrypt the tcon itself if seal requested on mount and set encryption support for 3.11 properly

Pavel Shilovsky piastryyy at gmail.com
Sat Apr 21 00:14:31 UTC 2018

2018-04-20 15:11 GMT-07:00 Steve French via samba-technical
<samba-technical at lists.samba.org>:
> This patch doesn't fix all the problems (mount with 3.11 and "seal"
> fails presumably because the validate negotiate like hash for the
> signature is not attached to the tcon the right way - signing is
> usually disabled when encryption is enabled).
> Should the signature be also included in the frame even if the tcon is
> encryption in SMB3.11?
> --
> Thanks,
> Steve

Looks good. Please also fix the encryption negotiate context:

static void
build_encrypt_ctxt(struct smb2_encryption_neg_context *pneg_ctxt)
pneg_ctxt->ContextType = SMB2_ENCRYPTION_CAPABILITIES;
pneg_ctxt->DataLength = cpu_to_le16(6);
pneg_ctxt->CipherCount = cpu_to_le16(2);
pneg_ctxt->Ciphers[0] = SMB2_ENCRYPTION_AES128_GCM;
pneg_ctxt->Ciphers[1] = SMB2_ENCRYPTION_AES128_CCM;

as we currently do not support AES128_GCM encryption. This is probably
why mount fails.

The SMB3 encryption includes signing, so, I think SMB2 header
signature may be omitted in validate negotiate if encryption is used.

We need to check if the current code works with CCM encryption for SMB
3.0 because there was a stable patch "Validate negotiate request mush
always be signed" that changed the behavior of validate negotiate

Best regards,
Pavel Shilovsky

More information about the samba-technical mailing list