linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256
@ 2023-02-28 23:56 Namjae Jeon
  2023-02-28 23:56 ` [PATCH] ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION Namjae Jeon
  2023-03-01  3:57 ` [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256 Steve French
  0 siblings, 2 replies; 3+ messages in thread
From: Namjae Jeon @ 2023-02-28 23:56 UTC (permalink / raw)
  To: linux-cifs; +Cc: smfrench, senozhatsky, tom, Namjae Jeon, Miao Lihua

MacOS and Win11 support AES256 encrytion and it is included in the cipher
array of encryption context. Especially on macOS, The most preferred
cipher is AES256. Connecting to ksmbd fails on newer MacOS clients that
support AES256 encryption. MacOS send disconnect request after receiving
final session setup response from ksmbd. Because final session setup is
signed with signing key was generated incorrectly.
For signging key, 'L' value should be initialized to 128 if key size is
16bytes.

Reported-by: Miao Lihua <441884205@qq.com>
Tested-by: Miao Lihua <441884205@qq.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/ksmbd/auth.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c
index 6e61b5bc7d86..cead696b656a 100644
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -727,8 +727,9 @@ static int generate_key(struct ksmbd_conn *conn, struct ksmbd_session *sess,
 		goto smb3signkey_ret;
 	}
 
-	if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
-	    conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM)
+	if (key_size == SMB3_ENC_DEC_KEY_SIZE &&
+	    (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+	     conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
 		rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L256, 4);
 	else
 		rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L128, 4);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH] ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION
  2023-02-28 23:56 [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256 Namjae Jeon
@ 2023-02-28 23:56 ` Namjae Jeon
  2023-03-01  3:57 ` [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256 Steve French
  1 sibling, 0 replies; 3+ messages in thread
From: Namjae Jeon @ 2023-02-28 23:56 UTC (permalink / raw)
  To: linux-cifs; +Cc: smfrench, senozhatsky, tom, Namjae Jeon, Miao Lihua

If vfs objects = streams_xattr in ksmbd.conf FILE_NAMED_STREAMS should
be set to Attributes in FS_ATTRIBUTE_INFORMATION. MacOS client show
"Format: SMB (Unknown)" on faked NTFS and no streams support.

Reported-by: Miao Lihua <441884205@qq.com>
Tested-by: Miao Lihua <441884205@qq.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/ksmbd/smb2pdu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 013fd6452942..c774af83b5dc 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -4936,6 +4936,10 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work,
 
 		info->Attributes |= cpu_to_le32(server_conf.share_fake_fscaps);
 
+		if (test_share_config_flag(work->tcon->share_conf,
+		    KSMBD_SHARE_FLAG_STREAMS))
+			info->Attributes |= FILE_NAMED_STREAMS;
+
 		info->MaxPathNameComponentLength = cpu_to_le32(stfs.f_namelen);
 		len = smbConvertToUTF16((__le16 *)info->FileSystemName,
 					"NTFS", PATH_MAX, conn->local_nls, 0);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256
  2023-02-28 23:56 [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256 Namjae Jeon
  2023-02-28 23:56 ` [PATCH] ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION Namjae Jeon
@ 2023-03-01  3:57 ` Steve French
  1 sibling, 0 replies; 3+ messages in thread
From: Steve French @ 2023-03-01  3:57 UTC (permalink / raw)
  To: Namjae Jeon; +Cc: linux-cifs, senozhatsky, tom, Miao Lihua

FYI - Linux client also supports AES GCM 256 encryption.  It is
enabled by default and can be set to required with:

MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM
encryption. Default: n/N/0");

On Tue, Feb 28, 2023 at 5:57 PM Namjae Jeon <linkinjeon@kernel.org> wrote:
>
> MacOS and Win11 support AES256 encrytion and it is included in the cipher
> array of encryption context. Especially on macOS, The most preferred
> cipher is AES256. Connecting to ksmbd fails on newer MacOS clients that
> support AES256 encryption. MacOS send disconnect request after receiving
> final session setup response from ksmbd. Because final session setup is
> signed with signing key was generated incorrectly.
> For signging key, 'L' value should be initialized to 128 if key size is
> 16bytes.
>
> Reported-by: Miao Lihua <441884205@qq.com>
> Tested-by: Miao Lihua <441884205@qq.com>
> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
> ---
>  fs/ksmbd/auth.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c
> index 6e61b5bc7d86..cead696b656a 100644
> --- a/fs/ksmbd/auth.c
> +++ b/fs/ksmbd/auth.c
> @@ -727,8 +727,9 @@ static int generate_key(struct ksmbd_conn *conn, struct ksmbd_session *sess,
>                 goto smb3signkey_ret;
>         }
>
> -       if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
> -           conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM)
> +       if (key_size == SMB3_ENC_DEC_KEY_SIZE &&
> +           (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
> +            conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
>                 rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L256, 4);
>         else
>                 rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L128, 4);
> --
> 2.25.1
>


-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-01  3:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-28 23:56 [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256 Namjae Jeon
2023-02-28 23:56 ` [PATCH] ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION Namjae Jeon
2023-03-01  3:57 ` [PATCH] ksmbd: fix wrong signingkey creation when encryption is AES256 Steve French

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).