Ronnie Sahlberg lsahlber@redhat.com writes:
Fix Guest/Anonymous sessions so that they work with SMB 3.11.
In git commit 6188f28 tightened the conditions and forced signing for the SMB2-TreeConnect commands as per MS-SMB2.
We could add a
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for non-encrypted shares")
tag in the commit message.
- /* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1 */
- /*
* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1* unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1*/
!smb3_encryption_required(tcon))
!smb3_encryption_required(tcon) &&!(ses->session_flags & (SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))memset(&rqst, 0, sizeof(struct smb_rqst));
I suspect there might more (and/or better) places to check. If you grep for SMB2_FLAGS_SIGNED there are a couple of other places that should be considered:
smb2_hdr_assemble() { ... if (tcon->ses && tcon->ses->server && tcon->ses->server->sign && !smb3_encryption_required(tcon)) shdr->Flags |= SMB2_FLAGS_SIGNED; ... }
cifs_get_smb_ses() { ... ses->sectype = volume_info->sectype; ses->sign = volume_info->sign;
mutex_lock(&ses->session_mutex); rc = cifs_negotiate_protocol(xid, ses); if (!rc) rc = cifs_setup_session(xid, ses, volume_info->local_nls); mutex_unlock(&ses->session_mutex); if (rc) goto get_ses_fail; ... }
After negprot and before sess setup we already know the protocol version so I guess there could be some patch there as well.
See also SMB2_logoff(), SMB2_ioctl_init(), cifs_enable_signing()
Cheers,