Bug 13661 - Session setup reauth fails to sign response
Session setup reauth fails to sign response
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-22 16:26 UTC by Ralph Böhme
Modified: 2018-11-20 11:28 UTC (History)
5 users (show)

See Also:


Attachments
WIP patch for master, needs test (1.68 KB, patch)
2018-11-06 15:45 UTC, Ralph Böhme
no flags Details
WIP patch for master with test (8.08 KB, patch)
2018-11-07 16:01 UTC, Ralph Böhme
no flags Details
WIP patch for master with test (11.93 KB, patch)
2018-11-07 22:26 UTC, Ralph Böhme
no flags Details
Patch for 4.8 and 4.9 cherry-picked from master (20.63 KB, patch)
2018-11-14 09:08 UTC, Ralph Böhme
jra: review+
slow: review? (metze)
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2018-10-22 16:26:53 UTC
In smbd_smb2_reauth_generic_return we talloc_move() session_info to session->global->auth_session_info which sets session_info to NULL.
    
This means security_session_user_level(NULL, NULL) will always return SECURITY_ANONYMOUS so we never sign the session setup response.
Comment 1 Jeremy Allison 2018-11-02 17:29:24 UTC
Ping ? Do we have a patch for this ? Looks like it was an issue for HPE in their server product.
Comment 2 Ralph Böhme 2018-11-02 19:07:41 UTC
Howdy!

Yes, we have a patch, but for upstream we also need a test to ensure we don't regresss. I have this in my work queue...
Comment 3 Ralph Böhme 2018-11-06 15:45:46 UTC
Created attachment 14603 [details]
WIP patch for master, needs test
Comment 4 Jeremy Allison 2018-11-06 18:17:31 UTC
Comment on attachment 14603 [details]
WIP patch for master, needs test

Patch LGTM, pretty obvious now I see it :-). A test would be nice, but is gravy in this case :-).
Comment 5 Ralph Böhme 2018-11-07 07:30:03 UTC
(In reply to Jeremy Allison from comment #4)
Turns out we already have a test: smb2.session.expire1s.

Wait... if we have test, why doesn't it fail? Ha!

Looks like we have two more bugs here:

1. the client doesn't reset the signing state after it gets NT_STATUS_NETWORK_SESSION_EXPIRED, so it keeps using the signing key on reauth. That means the reauth session setup is signed (with an invalid, expired key), which brings us to

2. the server doesn't reset keys when the session expires, so when it receives the session setup request with an invalid signature, it validates the signature with the expired key, so validation passes. Then as the request was signed, we also sign the response, this time with the new key.
Comment 6 Ralph Böhme 2018-11-07 15:54:33 UTC
(In reply to Ralph Böhme from comment #5)
oh, reauth keeps the keys, so that's not the problem.

Looks like in the client just don't check the signature of a session setup reauth response, so the test doesn't catch the missing signature. Windows client is more picky here, so I guess we have to adjust libcli_smb_common so we can then check this in torture tests.
Comment 7 Ralph Böhme 2018-11-07 16:01:21 UTC
Created attachment 14623 [details]
WIP patch for master with test

I'm slowly getting there....
Comment 8 Jeremy Allison 2018-11-07 17:21:08 UTC
Oh man, I'm glad you're on this ! I missed the fact we already have a test that wasn't working :-).
Comment 9 Ralph Böhme 2018-11-07 22:26:33 UTC
Created attachment 14629 [details]
WIP patch for master with test

So close...
Comment 10 Ralph Böhme 2018-11-14 09:08:57 UTC
Created attachment 14659 [details]
Patch for 4.8 and 4.9 cherry-picked from master
Comment 11 Andreas Schneider 2018-11-14 13:46:01 UTC
Karolin, please add the patches to the relevant branches. Thanks!
Comment 12 Karolin Seeger 2018-11-20 11:23:06 UTC
(In reply to Andreas Schneider from comment #11)
Pushed to autobuild-v4-{9,8}-test.
Comment 13 Karolin Seeger 2018-11-20 11:28:57 UTC
(In reply to Karolin Seeger from comment #12)
Pushed to both branches.
Closing out bug report.

Thanks!