diff options
| author | Steve French <smfrench@gmail.com> | 2013-11-20 00:44:46 -0500 |
|---|---|---|
| committer | Steve French <smfrench@gmail.com> | 2013-11-20 00:52:54 -0500 |
| commit | ff1c038addc4f205d5f1ede449426c7d316c0eed (patch) | |
| tree | 6beb176bfee8d237bc06586474493f73702f0959 /fs/cifs/smb2pdu.c | |
| parent | 7d3fb24bce87a240ee5a5f99cdd72b1f336d5c3b (diff) | |
Check SMB3 dialects against downgrade attacks
When we are running SMB3 or SMB3.02 connections which are signed
we need to validate the protocol negotiation information,
to ensure that the negotiate protocol response was not tampered with.
Add the missing FSCTL which is sent at mount time (immediately after
the SMB3 Tree Connect) to validate that the capabilities match
what we think the server sent.
"Secure dialect negotiation is introduced in SMB3 to protect against
man-in-the-middle attempt to downgrade dialect negotiation.
The idea is to prevent an eavesdropper from downgrading the initially
negotiated dialect and capabilities between the client and the server."
For more explanation see 2.2.31.4 of MS-SMB2 or
http://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx
Reviewed-by: Pavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs/smb2pdu.c')
| -rw-r--r-- | fs/cifs/smb2pdu.c | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 1e136eee3ea6..2013234b73ad 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c | |||
| @@ -454,6 +454,81 @@ neg_exit: | |||
| 454 | return rc; | 454 | return rc; |
| 455 | } | 455 | } |
| 456 | 456 | ||
| 457 | int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) | ||
| 458 | { | ||
| 459 | int rc = 0; | ||
| 460 | struct validate_negotiate_info_req vneg_inbuf; | ||
| 461 | struct validate_negotiate_info_rsp *pneg_rsp; | ||
| 462 | u32 rsplen; | ||
| 463 | |||
| 464 | cifs_dbg(FYI, "validate negotiate\n"); | ||
| 465 | |||
| 466 | /* | ||
| 467 | * validation ioctl must be signed, so no point sending this if we | ||
| 468 | * can not sign it. We could eventually change this to selectively | ||
| 469 | * sign just this, the first and only signed request on a connection. | ||
| 470 | * This is good enough for now since a user who wants better security | ||
| 471 | * would also enable signing on the mount. Having validation of | ||
| 472 | * negotiate info for signed connections helps reduce attack vectors | ||
| 473 | */ | ||
| 474 | if (tcon->ses->server->sign == false) | ||
| 475 | return 0; /* validation requires signing */ | ||
| 476 | |||
| 477 | vneg_inbuf.Capabilities = | ||
| 478 | cpu_to_le32(tcon->ses->server->vals->req_capabilities); | ||
| 479 | memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE); | ||
| 480 | |||
| 481 | if (tcon->ses->sign) | ||
| 482 | vneg_inbuf.SecurityMode = | ||
| 483 | cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED); | ||
| 484 | else if (global_secflags & CIFSSEC_MAY_SIGN) | ||
| 485 | vneg_inbuf.SecurityMode = | ||
| 486 | cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED); | ||
| 487 | else | ||
| 488 | vneg_inbuf.SecurityMode = 0; | ||
| 489 | |||
| 490 | vneg_inbuf.DialectCount = cpu_to_le16(1); | ||
| 491 | vneg_inbuf.Dialects[0] = | ||
| 492 | cpu_to_le16(tcon->ses->server->vals->protocol_id); | ||
| 493 | |||
| 494 | rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, | ||
| 495 | FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, | ||
| 496 | (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req), | ||
| 497 | (char **)&pneg_rsp, &rsplen); | ||
| 498 | |||
| 499 | if (rc != 0) { | ||
| 500 | cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); | ||
| 501 | return -EIO; | ||
| 502 | } | ||
| 503 | |||
| 504 | if (rsplen != sizeof(struct validate_negotiate_info_rsp)) { | ||
| 505 | cifs_dbg(VFS, "invalid size of protocol negotiate response\n"); | ||
| 506 | return -EIO; | ||
| 507 | } | ||
| 508 | |||
| 509 | /* check validate negotiate info response matches what we got earlier */ | ||
| 510 | if (pneg_rsp->Dialect != | ||
| 511 | cpu_to_le16(tcon->ses->server->vals->protocol_id)) | ||
| 512 | goto vneg_out; | ||
| 513 | |||
| 514 | if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode)) | ||
| 515 | goto vneg_out; | ||
| 516 | |||
| 517 | /* do not validate server guid because not saved at negprot time yet */ | ||
| 518 | |||
| 519 | if ((le32_to_cpu(pneg_rsp->Capabilities) | SMB2_NT_FIND | | ||
| 520 | SMB2_LARGE_FILES) != tcon->ses->server->capabilities) | ||
| 521 | goto vneg_out; | ||
| 522 | |||
| 523 | /* validate negotiate successful */ | ||
| 524 | cifs_dbg(FYI, "validate negotiate info successful\n"); | ||
| 525 | return 0; | ||
| 526 | |||
| 527 | vneg_out: | ||
| 528 | cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); | ||
| 529 | return -EIO; | ||
| 530 | } | ||
| 531 | |||
| 457 | int | 532 | int |
| 458 | SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, | 533 | SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, |
| 459 | const struct nls_table *nls_cp) | 534 | const struct nls_table *nls_cp) |
| @@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, | |||
| 829 | ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0)) | 904 | ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0)) |
| 830 | cifs_dbg(VFS, "DFS capability contradicts DFS flag\n"); | 905 | cifs_dbg(VFS, "DFS capability contradicts DFS flag\n"); |
| 831 | init_copy_chunk_defaults(tcon); | 906 | init_copy_chunk_defaults(tcon); |
| 907 | if (tcon->ses->server->ops->validate_negotiate) | ||
| 908 | rc = tcon->ses->server->ops->validate_negotiate(xid, tcon); | ||
| 832 | tcon_exit: | 909 | tcon_exit: |
| 833 | free_rsp_buf(resp_buftype, rsp); | 910 | free_rsp_buf(resp_buftype, rsp); |
| 834 | kfree(unc_path); | 911 | kfree(unc_path); |