Commit 7955f105 authored by Steve French's avatar Steve French

SMB3.1.1: do not log warning message if server doesn't populate salt

In the negotiate protocol preauth context, the server is not required
to populate the salt (although it is done by most servers) so do
not warn on mount.

We retain the checks (warn) that the preauth context is the minimum
size and that the salt does not exceed DataLength of the SMB response.
Although we use the defaults in the case that the preauth context
response is invalid, these checks may be useful in the future
as servers add support for additional mechanisms.

CC: Stable <stable@vger.kernel.org>
Reviewed-by: default avatarShyam Prasad N <sprasad@microsoft.com>
Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 145024e3
...@@ -427,8 +427,8 @@ build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt) ...@@ -427,8 +427,8 @@ build_preauth_ctxt(struct smb2_preauth_neg_context *pneg_ctxt)
pneg_ctxt->ContextType = SMB2_PREAUTH_INTEGRITY_CAPABILITIES; pneg_ctxt->ContextType = SMB2_PREAUTH_INTEGRITY_CAPABILITIES;
pneg_ctxt->DataLength = cpu_to_le16(38); pneg_ctxt->DataLength = cpu_to_le16(38);
pneg_ctxt->HashAlgorithmCount = cpu_to_le16(1); pneg_ctxt->HashAlgorithmCount = cpu_to_le16(1);
pneg_ctxt->SaltLength = cpu_to_le16(SMB311_SALT_SIZE); pneg_ctxt->SaltLength = cpu_to_le16(SMB311_LINUX_CLIENT_SALT_SIZE);
get_random_bytes(pneg_ctxt->Salt, SMB311_SALT_SIZE); get_random_bytes(pneg_ctxt->Salt, SMB311_LINUX_CLIENT_SALT_SIZE);
pneg_ctxt->HashAlgorithms = SMB2_PREAUTH_INTEGRITY_SHA512; pneg_ctxt->HashAlgorithms = SMB2_PREAUTH_INTEGRITY_SHA512;
} }
...@@ -566,6 +566,9 @@ static void decode_preauth_context(struct smb2_preauth_neg_context *ctxt) ...@@ -566,6 +566,9 @@ static void decode_preauth_context(struct smb2_preauth_neg_context *ctxt)
if (len < MIN_PREAUTH_CTXT_DATA_LEN) { if (len < MIN_PREAUTH_CTXT_DATA_LEN) {
pr_warn_once("server sent bad preauth context\n"); pr_warn_once("server sent bad preauth context\n");
return; return;
} else if (len < MIN_PREAUTH_CTXT_DATA_LEN + le16_to_cpu(ctxt->SaltLength)) {
pr_warn_once("server sent invalid SaltLength\n");
return;
} }
if (le16_to_cpu(ctxt->HashAlgorithmCount) != 1) if (le16_to_cpu(ctxt->HashAlgorithmCount) != 1)
pr_warn_once("Invalid SMB3 hash algorithm count\n"); pr_warn_once("Invalid SMB3 hash algorithm count\n");
......
...@@ -333,12 +333,20 @@ struct smb2_neg_context { ...@@ -333,12 +333,20 @@ struct smb2_neg_context {
/* Followed by array of data */ /* Followed by array of data */
} __packed; } __packed;
#define SMB311_SALT_SIZE 32 #define SMB311_LINUX_CLIENT_SALT_SIZE 32
/* Hash Algorithm Types */ /* Hash Algorithm Types */
#define SMB2_PREAUTH_INTEGRITY_SHA512 cpu_to_le16(0x0001) #define SMB2_PREAUTH_INTEGRITY_SHA512 cpu_to_le16(0x0001)
#define SMB2_PREAUTH_HASH_SIZE 64 #define SMB2_PREAUTH_HASH_SIZE 64
#define MIN_PREAUTH_CTXT_DATA_LEN (SMB311_SALT_SIZE + 6) /*
* SaltLength that the server send can be zero, so the only three required
* fields (all __le16) end up six bytes total, so the minimum context data len
* in the response is six bytes which accounts for
*
* HashAlgorithmCount, SaltLength, and 1 HashAlgorithm.
*/
#define MIN_PREAUTH_CTXT_DATA_LEN 6
struct smb2_preauth_neg_context { struct smb2_preauth_neg_context {
__le16 ContextType; /* 1 */ __le16 ContextType; /* 1 */
__le16 DataLength; __le16 DataLength;
...@@ -346,7 +354,7 @@ struct smb2_preauth_neg_context { ...@@ -346,7 +354,7 @@ struct smb2_preauth_neg_context {
__le16 HashAlgorithmCount; /* 1 */ __le16 HashAlgorithmCount; /* 1 */
__le16 SaltLength; __le16 SaltLength;
__le16 HashAlgorithms; /* HashAlgorithms[0] since only one defined */ __le16 HashAlgorithms; /* HashAlgorithms[0] since only one defined */
__u8 Salt[SMB311_SALT_SIZE]; __u8 Salt[SMB311_LINUX_CLIENT_SALT_SIZE];
} __packed; } __packed;
/* Encryption Algorithms Ciphers */ /* Encryption Algorithms Ciphers */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment