Check SMB3 dialects against downgrade attacks

When we are running SMB3 or SMB3.02 connections which are signed we need to validate the protocol negotiation information, to ensure that the negotiate protocol response was not tampered with. Add the missing FSCTL which is sent at mount time (immediately after the SMB3 Tree Connect) to validate that the capabilities match what we think the server sent. "Secure dialect negotiation is introduced in SMB3 to protect against man-in-the-middle attempt to downgrade dialect negotiation. The idea is to prevent an eavesdropper from downgrading the initially negotiated dialect and capabilities between the client and the server." For more explanation see 2.2.31.4 of MS-SMB2 or http://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx Reviewed-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Steve French <smfrench@gmail.com>
author: Steve French <smfrench@gmail.com> 2013-11-20 00:44:46 -0500
committer: Steve French <smfrench@gmail.com> 2013-11-20 00:52:54 -0500
commit: ff1c038addc4f205d5f1ede449426c7d316c0eed (patch)
tree: 6beb176bfee8d237bc06586474493f73702f0959 /fs/cifs
parent: 7d3fb24bce87a240ee5a5f99cdd72b1f336d5c3b (diff)
6 files changed, 90 insertions, 4 deletions
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index d9ea7ada1378..f918a998a087 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -384,6 +384,7 @@ struct smb_version_operations {
        int (*clone_range)(const unsigned int, struct cifsFileInfo *src_file,
                        struct cifsFileInfo *target_file, u64 src_off, u64 len,
                        u64 dest_off);
+        int (*validate_negotiate)(const unsigned int, struct cifs_tcon *);
 };
 struct smb_version_values {
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index a3968eeb6fac..757da3e54d3d 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1319,6 +1319,7 @@ struct smb_version_operations smb30_operations = {
        .create_lease_buf = smb3_create_lease_buf,
        .parse_lease_buf = smb3_parse_lease_buf,
        .clone_range = smb2_clone_range,
+        .validate_negotiate = smb3_validate_negotiate,
 };
 struct smb_version_values smb20_values = {
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 1e136eee3ea6..2013234b73ad 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -454,6 +454,81 @@ neg_exit:
        return rc;
 }
+int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
+{
+        int rc = 0;
+        struct validate_negotiate_info_req vneg_inbuf;
+        struct validate_negotiate_info_rsp *pneg_rsp;
+        u32 rsplen;
+        cifs_dbg(FYI, "validate negotiate\n");
+        /*
+         * validation ioctl must be signed, so no point sending this if we
+         * can not sign it.  We could eventually change this to selectively
+         * sign just this, the first and only signed request on a connection.
+         * This is good enough for now since a user who wants better security
+         * would also enable signing on the mount. Having validation of
+         * negotiate info for signed connections helps reduce attack vectors
+         */
+        if (tcon->ses->server->sign == false)
+                return 0; /* validation requires signing */
+        vneg_inbuf.Capabilities =
+                        cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+        memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE);
+        if (tcon->ses->sign)
+                vneg_inbuf.SecurityMode =
+                        cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
+        else if (global_secflags & CIFSSEC_MAY_SIGN)
+                vneg_inbuf.SecurityMode =
+                        cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
+        else
+                vneg_inbuf.SecurityMode = 0;
+        vneg_inbuf.DialectCount = cpu_to_le16(1);
+        vneg_inbuf.Dialects[0] =
+                cpu_to_le16(tcon->ses->server->vals->protocol_id);
+        rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
+                FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
+                (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
+                (char **)&pneg_rsp, &rsplen);
+        if (rc != 0) {
+                cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
+                return -EIO;
+        }
+        if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
+                cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
+                return -EIO;
+        }
+        /* check validate negotiate info response matches what we got earlier */
+        if (pneg_rsp->Dialect !=
+                        cpu_to_le16(tcon->ses->server->vals->protocol_id))
+                goto vneg_out;
+        if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
+                goto vneg_out;
+        /* do not validate server guid because not saved at negprot time yet */
+        if ((le32_to_cpu(pneg_rsp->Capabilities) | SMB2_NT_FIND |
+              SMB2_LARGE_FILES) != tcon->ses->server->capabilities)
+                goto vneg_out;
+        /* validate negotiate successful */
+        cifs_dbg(FYI, "validate negotiate info successful\n");
+        return 0;
+vneg_out:
+        cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+        return -EIO;
+}
 int
 SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
                const struct nls_table *nls_cp)
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
            ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
                cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");
        init_copy_chunk_defaults(tcon);
+        if (tcon->ses->server->ops->validate_negotiate)
+                rc = tcon->ses->server->ops->validate_negotiate(xid, tcon);
 tcon_exit:
        free_rsp_buf(resp_buftype, rsp);
        kfree(unc_path);
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index f88320bbb477..2022c542ea3a 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -577,13 +577,19 @@ struct copychunk_ioctl_rsp {
        __le32 TotalBytesWritten;
 } __packed;
-/* Response and Request are the same format */
+struct validate_negotiate_info_req {
-struct validate_negotiate_info {
        __le32 Capabilities;
        __u8   Guid[SMB2_CLIENT_GUID_SIZE];
        __le16 SecurityMode;
        __le16 DialectCount;
-        __le16 Dialect[1];
+        __le16 Dialects[1]; /* dialect (someday maybe list) client asked for */
+} __packed;
+struct validate_negotiate_info_rsp {
+        __le32 Capabilities;
+        __u8   Guid[SMB2_CLIENT_GUID_SIZE];
+        __le16 SecurityMode;
+        __le16 Dialect; /* Dialect in use for the connection */
 } __packed;
 #define RSS_CAPABLE     0x00000001
diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
index b4eea105b08c..93adc64666f3 100644
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -162,5 +162,6 @@ extern int smb2_lockv(const unsigned int xid, struct cifs_tcon *tcon,
                      struct smb2_lock_element *buf);
 extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
                            __u8 *lease_key, const __le32 lease_state);
+extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *);
 #endif                  /* _SMB2PROTO_H */
diff --git a/fs/cifs/smbfsctl.h b/fs/cifs/smbfsctl.h
index a4b2391fe66e..0e538b5c9622 100644
--- a/fs/cifs/smbfsctl.h
+++ b/fs/cifs/smbfsctl.h
@@ -90,7 +90,7 @@
 #define FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4 /* BB add struct */
 #define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */
 #define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */
-#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204 /* BB add struct */
+#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204
 /* Perform server-side data movement */
 #define FSCTL_SRV_COPYCHUNK 0x001440F2
 #define FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2
author	Steve French <smfrench@gmail.com>	2013-11-20 00:44:46 -0500
committer	Steve French <smfrench@gmail.com>	2013-11-20 00:52:54 -0500
commit	ff1c038addc4f205d5f1ede449426c7d316c0eed (patch)
tree	6beb176bfee8d237bc06586474493f73702f0959 /fs/cifs
parent	7d3fb24bce87a240ee5a5f99cdd72b1f336d5c3b (diff)

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index d9ea7ada1378..f918a998a087 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h
@@ -384,6 +384,7 @@ struct smb_version_operations {
384	int (clone_range)(const unsigned int, struct cifsFileInfo src_file,	384	int (clone_range)(const unsigned int, struct cifsFileInfo src_file,
385	struct cifsFileInfo *target_file, u64 src_off, u64 len,	385	struct cifsFileInfo *target_file, u64 src_off, u64 len,
386	u64 dest_off);	386	u64 dest_off);
		387	int (validate_negotiate)(const unsigned int, struct cifs_tcon );
387	};	388	};
388		389
389	struct smb_version_values {	390	struct smb_version_values {


diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index a3968eeb6fac..757da3e54d3d 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c
@@ -1319,6 +1319,7 @@ struct smb_version_operations smb30_operations = {
1319	.create_lease_buf = smb3_create_lease_buf,	1319	.create_lease_buf = smb3_create_lease_buf,
1320	.parse_lease_buf = smb3_parse_lease_buf,	1320	.parse_lease_buf = smb3_parse_lease_buf,
1321	.clone_range = smb2_clone_range,	1321	.clone_range = smb2_clone_range,
		1322	.validate_negotiate = smb3_validate_negotiate,
1322	};	1323	};
1323		1324
1324	struct smb_version_values smb20_values = {	1325	struct smb_version_values smb20_values = {


diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 1e136eee3ea6..2013234b73ad 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c
@@ -454,6 +454,81 @@ neg_exit:
454	return rc;	454	return rc;
455	}	455	}
456		456
		457	int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
		458	{
		459	int rc = 0;
		460	struct validate_negotiate_info_req vneg_inbuf;
		461	struct validate_negotiate_info_rsp *pneg_rsp;
		462	u32 rsplen;
		463
		464	cifs_dbg(FYI, "validate negotiate\n");
		465
		466	/*
		467	* validation ioctl must be signed, so no point sending this if we
		468	* can not sign it. We could eventually change this to selectively
		469	* sign just this, the first and only signed request on a connection.
		470	* This is good enough for now since a user who wants better security
		471	* would also enable signing on the mount. Having validation of
		472	* negotiate info for signed connections helps reduce attack vectors
		473	*/
		474	if (tcon->ses->server->sign == false)
		475	return 0; /* validation requires signing */
		476
		477	vneg_inbuf.Capabilities =
		478	cpu_to_le32(tcon->ses->server->vals->req_capabilities);
		479	memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE);
		480
		481	if (tcon->ses->sign)
		482	vneg_inbuf.SecurityMode =
		483	cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
		484	else if (global_secflags & CIFSSEC_MAY_SIGN)
		485	vneg_inbuf.SecurityMode =
		486	cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
		487	else
		488	vneg_inbuf.SecurityMode = 0;
		489
		490	vneg_inbuf.DialectCount = cpu_to_le16(1);
		491	vneg_inbuf.Dialects[0] =
		492	cpu_to_le16(tcon->ses->server->vals->protocol_id);
		493
		494	rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
		495	FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
		496	(char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
		497	(char **)&pneg_rsp, &rsplen);
		498
		499	if (rc != 0) {
		500	cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
		501	return -EIO;
		502	}
		503
		504	if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
		505	cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
		506	return -EIO;
		507	}
		508
		509	/* check validate negotiate info response matches what we got earlier */
		510	if (pneg_rsp->Dialect !=
		511	cpu_to_le16(tcon->ses->server->vals->protocol_id))
		512	goto vneg_out;
		513
		514	if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
		515	goto vneg_out;
		516
		517	/* do not validate server guid because not saved at negprot time yet */
		518
		519	if ((le32_to_cpu(pneg_rsp->Capabilities) \| SMB2_NT_FIND \|
		520	SMB2_LARGE_FILES) != tcon->ses->server->capabilities)
		521	goto vneg_out;
		522
		523	/* validate negotiate successful */
		524	cifs_dbg(FYI, "validate negotiate info successful\n");
		525	return 0;
		526
		527	vneg_out:
		528	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
		529	return -EIO;
		530	}
		531
457	int	532	int
458	SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,	533	SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
459	const struct nls_table *nls_cp)	534	const struct nls_table *nls_cp)
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses ses, const char tree,
829	((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))	904	((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
830	cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");	905	cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");
831	init_copy_chunk_defaults(tcon);	906	init_copy_chunk_defaults(tcon);
		907	if (tcon->ses->server->ops->validate_negotiate)
		908	rc = tcon->ses->server->ops->validate_negotiate(xid, tcon);
832	tcon_exit:	909	tcon_exit:
833	free_rsp_buf(resp_buftype, rsp);	910	free_rsp_buf(resp_buftype, rsp);
834	kfree(unc_path);	911	kfree(unc_path);


diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h index f88320bbb477..2022c542ea3a 100644 --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h
@@ -577,13 +577,19 @@ struct copychunk_ioctl_rsp {
577	__le32 TotalBytesWritten;	577	__le32 TotalBytesWritten;
578	} __packed;	578	} __packed;
579		579
580	/* Response and Request are the same format */	580	struct validate_negotiate_info_req {
581	struct validate_negotiate_info {
582	__le32 Capabilities;	581	__le32 Capabilities;
583	__u8 Guid[SMB2_CLIENT_GUID_SIZE];	582	__u8 Guid[SMB2_CLIENT_GUID_SIZE];
584	__le16 SecurityMode;	583	__le16 SecurityMode;
585	__le16 DialectCount;	584	__le16 DialectCount;
586	__le16 Dialect[1];	585	__le16 Dialects[1]; /* dialect (someday maybe list) client asked for */
		586	} __packed;
		587
		588	struct validate_negotiate_info_rsp {
		589	__le32 Capabilities;
		590	__u8 Guid[SMB2_CLIENT_GUID_SIZE];
		591	__le16 SecurityMode;
		592	__le16 Dialect; /* Dialect in use for the connection */
587	} __packed;	593	} __packed;
588		594
589	#define RSS_CAPABLE 0x00000001	595	#define RSS_CAPABLE 0x00000001


diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h index b4eea105b08c..93adc64666f3 100644 --- a/fs/cifs/smb2proto.h +++ b/fs/cifs/smb2proto.h
@@ -162,5 +162,6 @@ extern int smb2_lockv(const unsigned int xid, struct cifs_tcon *tcon,
162	struct smb2_lock_element *buf);	162	struct smb2_lock_element *buf);
163	extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,	163	extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
164	__u8 *lease_key, const __le32 lease_state);	164	__u8 *lease_key, const __le32 lease_state);
		165	extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *);
165		166
166	#endif /* _SMB2PROTO_H */	167	#endif /* _SMB2PROTO_H */


diff --git a/fs/cifs/smbfsctl.h b/fs/cifs/smbfsctl.h index a4b2391fe66e..0e538b5c9622 100644 --- a/fs/cifs/smbfsctl.h +++ b/fs/cifs/smbfsctl.h
@@ -90,7 +90,7 @@
90	#define FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4 /* BB add struct */	90	#define FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4 /* BB add struct */
91	#define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */	91	#define FSCTL_LMR_GET_LINK_TRACK_INF 0x001400E8 /* BB add struct */
92	#define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */	92	#define FSCTL_LMR_SET_LINK_TRACK_INF 0x001400EC /* BB add struct */
93	#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204 /* BB add struct */	93	#define FSCTL_VALIDATE_NEGOTIATE_INFO 0x00140204
94	/* Perform server-side data movement */	94	/* Perform server-side data movement */
95	#define FSCTL_SRV_COPYCHUNK 0x001440F2	95	#define FSCTL_SRV_COPYCHUNK 0x001440F2
96	#define FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2	96	#define FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2