-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement server side, netprot works basically #365
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
Nice. |
Ah, it is this structure. struct validate_neg_info { You shouldn't assign straight into this structure since that breaks big-endian systems. |
Merged, thanks. I will sort out the windows/cmake issues and later will fix the game console builds. This is great. I will find time and build it as a smb2 server for ps2. |
cool.
I made a lot more progress the last few days too. I can serve Linux
(nautilus), Linux (samba) and Mac OSX (netbsd, probably samba) on SMB 2.1.
There were a bunch of issues in my asn1 parsing / generation I fixed and
now I detect if spnego wrapping is needed or not and auto-add if needed.
Started to enable SMB311 now to try and get my windows 11-pro machine to
connect. It doesn't work with samba smbclient yet,,, I get a signature
mismatch. It seems it wants a signature of the session-response pdu? If I
hack smb-signing to allow pdu signatures for session commands if the
server-redir flag is set in the header I do get a signature in the header
and the signed flag set, but smbclient complains the signature doesn't
match its calculation. I suppose the signing key isn't being made
properly? I also havent tried to work out pre-auth stuff yet since that
hurts my head..
Also, a real bonafide bug in smb2_encode_preauth_context(struct
smb2_context *smb2, struct smb2_pdu *pdu). You are padding data_len to 64
bits but samba insists that the data_len is equal to the salt length (32) +
6. Its a silly restriction in samba but I made data_len 38 and padded the
alloc len up and samba is happy now.
Any hints on getting smb311 working would be great. i am not clear at all
if the signing key is being created properly (I just used the same code
you do for the client side) which works for 2.1 at least.
finally, the packed struct hack was a short-cut. I was just in a hurry.
the whole ioctl stuff needs to be passed to the server-handler function
anyway, and the structs properly packed and unpacket in the cmd handler..
just got tedious and I wanted to test. But this brings up a big can of
worms: Try compiling for Arm based macs and you get a million alignment
warnings, starting in alloc.c with "container_of" type stuff. Not sure it
is fixable. I did get it all working on my x86 mac though suppressing
those.
Cheers, Brian
…On Mon, Sep 23, 2024 at 8:30 PM Ronnie Sahlberg ***@***.***> wrote:
Merged, thanks. I will sort out the windows/cmake issues and later will
fix the game console builds.
This is great. I will find time and build it as a smb2 server for ps2.
—
Reply to this email directly, view it on GitHub
<#365 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAARWED4X66EZ5WCE4SIY7DZYCXDLAVCNFSM6AAAAABODNVYDSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZHA2TONRRGM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
SMB3.1.1 is a little bit different when generating the keys. It adds
protection also of the initial NegotiateProtocol packets before
authentication has completed and feeds a preauthentication hash into the
key generator that covers also the initial negotiate protocol packets.
The code in libsmb2 SHOULD generate this correctly but I don't remember if
I actually tested it.
You need to negotiate a SMB2_PREAUTH_INTEGRITY_CAPABILITIES (sha512) asa
negotiate protocol context.
Then update and compute a rolling hash of all the packets until the key is
generated.
See smb3_update_preauth_hash in libsmb2.c how this is done.
You can also print the hashes as you compute them for the received packet
and then for the reply you send
and capture this with wireshark. Wireshark will show what the hash should
be at each step.
We added this to make debugging easier when we added 3.1.1 to the linux
client.
In wireshark sources you can see how wireshark does it in
epan/dissectors/packet-smb2.c
…On Mon, 23 Sept 2024 at 22:37, Brian ***@***.***> wrote:
cool.
I made a lot more progress the last few days too. I can serve Linux
(nautilus), Linux (samba) and Mac OSX (netbsd, probably samba) on SMB 2.1.
There were a bunch of issues in my asn1 parsing / generation I fixed and
now I detect if spnego wrapping is needed or not and auto-add if needed.
Started to enable SMB311 now to try and get my windows 11-pro machine to
connect. It doesn't work with samba smbclient yet,,, I get a signature
mismatch. It seems it wants a signature of the session-response pdu? If I
hack smb-signing to allow pdu signatures for session commands if the
server-redir flag is set in the header I do get a signature in the header
and the signed flag set, but smbclient complains the signature doesn't
match its calculation. I suppose the signing key isn't being made
properly? I also havent tried to work out pre-auth stuff yet since that
hurts my head..
Also, a real bonafide bug in smb2_encode_preauth_context(struct
smb2_context *smb2, struct smb2_pdu *pdu). You are padding data_len to 64
bits but samba insists that the data_len is equal to the salt length (32)
+
6. Its a silly restriction in samba but I made data_len 38 and padded the
alloc len up and samba is happy now.
Any hints on getting smb311 working would be great. i am not clear at all
if the signing key is being created properly (I just used the same code
you do for the client side) which works for 2.1 at least.
finally, the packed struct hack was a short-cut. I was just in a hurry.
the whole ioctl stuff needs to be passed to the server-handler function
anyway, and the structs properly packed and unpacket in the cmd handler..
just got tedious and I wanted to test. But this brings up a big can of
worms: Try compiling for Arm based macs and you get a million alignment
warnings, starting in alloc.c with "container_of" type stuff. Not sure it
is fixable. I did get it all working on my x86 mac though suppressing
those.
Cheers, Brian
On Mon, Sep 23, 2024 at 8:30 PM Ronnie Sahlberg ***@***.***>
wrote:
> Merged, thanks. I will sort out the windows/cmake issues and later will
> fix the game console builds.
>
> This is great. I will find time and build it as a smb2 server for ps2.
>
> —
> Reply to this email directly, view it on GitHub
> <#365 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AAARWED4X66EZ5WCE4SIY7DZYCXDLAVCNFSM6AAAAABODNVYDSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZHA2TONRRGM>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
—
Reply to this email directly, view it on GitHub
<#365 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADY3EG6ACJQ64RTRZOT54DZYDF5JAVCNFSM6AAAAABODNVYDSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZHE4TENZWGM>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
"Any hints on getting smb311 working would be great. i am not clear at all In addition to using wireshark to make sure you compute the preauth hash correctly for each packet The linux kernel cifs client can dump the session keys (so that you can paste them into wireshark to decrypt the stream). That way you can compare the key you generate server-side with the corresponding key that linux cifs client generates clientside. See here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/smb/client/smb2transport.c?h=v6.11#n479 |
This is a prototype implementation of serving SMB