[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Update of MS-PAC spec regarding November 2021 security updates - Trac
From: "Jeff McCashland \(HE/HIM/THEY/THEM\) via cifs-protocol" <cifs-protocol () lists ! sa
Date: 2021-11-30 19:24:48
Message-ID: MWHPR21MB0847E597997953F0A98DBF93A3679 () MWHPR21MB0847 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Thanks Andrew.
I'll look into it for both [MS-PAC] and [MS-KILE], as I think it would help to \
explicitly state how many flags each unsigned int would support.
In case it wasn't clear already, it is intended that the changes in the latest Errata \
document are not reflected in the current published document. The purpose of the \
Errata document is to detail changes that have not yet been published. Once the \
document is republished, the errata document will be archived with the previous \
publication and a new errata doc started for subsequent changes.
Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications \
Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300 We value your \
feedback. My manager is Natesha Morrison (namorri), +1 (704) 430-4292
-----Original Message-----
From: Andrew Bartlett <abartlet@samba.org>
Sent: Tuesday, November 30, 2021 9:47 AM
To: Jeff McCashland (HE/HIM/THEY/THEM) <jeffm@microsoft.com>; Alexander Bokovoy \
<ab@samba.org>; metze <metze@samba.org>
Cc: cifs-protocol@lists.samba.org
Subject: Re: [cifs-protocol] [EXTERNAL] Update of MS-PAC spec regarding November 2021 \
security updates - TrackingID#2111240040005432
Thanks for checking the math.
The idea was that this might extend, without changing the definition, to a longer \
than 32 bit set of flags, that would just run on into the next, currently unseen, \
uint32.
Andrew Bartlett
On Tue, 2021-11-30 at 17:36 +0000, Jeff McCashland (HE/HIM/THEY/THEM) via \
cifs-protocol wrote:
> Hi Alexander and Metze,
>
> I would like to check your understanding of the formula and edge
> condition. Metze suggested the formula:
> ((int)(flags_length/32))+1
>
> By my calculation using this forumula, if there are 32 flags, the
> array would have 2 32-bit unsigned integers. I would expect only one
> UINT for 32 flags.
>
> Should it not be ((int)((flags_length -1)/32))+1? Also, I'm not sure
> what you are referring to as 'bit 33'. 32-bit values are usually
> designated bits 0-31.
>
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
> com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141af91ab2d7cd011d
> b47%7C1%7C0%7C637738912809161506%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata
> =7a3E%2FJWPoRbXRQeQmgaaz8izf%2BQcZ4X4F%2FtlhgzTir8%3D&reserved=0 |
> Extension 1138300 We value your feedback. My manager is Natesha
> Morrison (namorri), +1
> (704) 430-4292
>
> -----Original Message-----
> From: Alexander Bokovoy <ab@samba.org>
> Sent: Monday, November 29, 2021 11:06 AM
> To: Jeff McCashland (HE/HIM/THEY/THEM) <jeffm@microsoft.com>
> Cc: metze <metze@samba.org>; cifs-protocol@lists.samba.org
> Subject: Re: [EXTERNAL] [cifs-protocol] Update of MS-PAC spec
> regarding November 2021 security updates -
> TrackingID#2111240040005432
>
> On ma, 29 marras 2021, Jeff McCashland (HE/HIM/THEY/THEM) wrote:
> > Hi Metze,
> >
> > How were you able to determine that the array size is
> > '((int)(flags_length/32))+1'? Do you have a trace or document
> > illustrating this?
> >
> > Also, it is expected that changes in the current Errata doc are not
> > included in the published document, but normally the changes would
> > be spelled out in the errata doc.
> >
> > Where did you find the Diff file with the changes? When I click the
> > link, I get a PDF download, but I can't tell where it's coming from.
>
> You can download it from the MS-WINERRATA:
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%
> 2F314fe022-28ea-4bd9-93ac-7941ecf9ca10&data=04%7C01%7Cjeffm%40micr
> osoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141af91ab2d7
> cd011db47%7C1%7C0%7C637738912809161506%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> ;sdata=oijKBS024kZ0FJ4ikR3evog1L05ODNjepULzLUgxLiM%3D&reserved=0
>
> For example, choose 'MS-PAC':
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%
> 2F54e7d766-95ed-4e47-bae3-0904176b5958&data=04%7C01%7Cjeffm%40micr
> osoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141af91ab2d7
> cd011db47%7C1%7C0%7C637738912809161506%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> ;sdata=o%2B7EFKygorcSTHV5BSjl43sMDtTlFhJayDOodsSvVIg%3D&reserved=0
>
> has a table with
>
> ------
> The following sections were changed or added. Please see the [diff
> document] for the details.
> ------
>
> [diff document] is a link to
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwinp
> rotocoldoc.blob.core.windows.net%2Fproductionwindowsarchives%2FMS-PAC%
> 2F%255bMS-PAC%255d-20211109-diff.pdf&data=04%7C01%7Cjeffm%40micros
> oft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141af91ab2d7cd
> 011db47%7C1%7C0%7C637738912809161506%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&s
> data=Fxqp%2FxBGnPZPfLRcnAzcKh1gwQdnM%2BZbedqL%2FQ5GMrs%3D&reserved
> =0
>
>
> Also, the same problem exists with [MS-KILE] spec, it also needs an
> update.
>
> Choose 'MS-KILE' in the list:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%
> 2Fc982f6c4-2f70-4dc7-b252-09092e9f1eed&data=04%7C01%7Cjeffm%40micr
> osoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141af91ab2d7
> cd011db47%7C1%7C0%7C637738912809161506%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> ;sdata=QCiHH6QE6CY2lry1XenJgG%2FqPK%2FhBL8QNWNS802uWj8%3D&reserved
> =0
>
> then you'd see in the table
>
> ------
> The following sections were changed or added. Please see the [diff
> document] for the details.
> ------
>
> [diff document] is a link to
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwinp
> rotocoldoc.blob.core.windows.net%2Fproductionwindowsarchives%2FMS-KILE
> %2F%255bMS-KILE%255d-20211109-diff.pdf&data=04%7C01%7Cjeffm%40micr
> osoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141af91ab2d7
> cd011db47%7C1%7C0%7C637738912809161506%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> ;sdata=enLwxEM%2Fz%2B8M2ri4y%2FWBJsVddvHFIueKAetKwV8%2BBf0%3D&rese
> rved=0
>
>
>
> > Best regards,
> > Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
> > po
> > rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microso
> > ft.
> > com%7C64d8ce9cb0ed47229a7108d9b36b494d%7C72f988bf86f141af91ab2d7cd0
> > 11d
> > b47%7C1%7C0%7C637738097041964427%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> > 4wL
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sd
> > ata
> > =WUK0paClsBukbVps6Tp13EqWLGzki9eU%2F9aFyFS2DMY%3D&reserved=0 |
> > Extension 1138300 We value your feedback. My manager is Natesha
> > Morrison (namorri), +1 (704) 430-4292
> >
> > -----Original Message-----
> > From: Jeff McCashland
> > Sent: Wednesday, November 24, 2021 9:18 AM
> > To: metze <metze@samba.org>; Alexander Bokovoy <ab@samba.org>
> > Cc: cifs-protocol@lists.samba.org
> > Subject: RE: [EXTERNAL] [cifs-protocol] Update of MS-PAC spec
> > regarding November 2021 security updates -
> > TrackingID#2111240040005432
> >
> > [Kristian to BCC]
> >
> > Hi Alexander and Metze,
> >
> > I will look into this and get back to you.
> >
> > Best regards,
> > Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol
> > Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsup
> > po
> > rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microso
> > ft.
> > com%7C64d8ce9cb0ed47229a7108d9b36b494d%7C72f988bf86f141af91ab2d7cd0
> > 11d
> > b47%7C1%7C0%7C637738097041964427%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> > 4wL
> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sd
> > ata
> > =WUK0paClsBukbVps6Tp13EqWLGzki9eU%2F9aFyFS2DMY%3D&reserved=0 |
> > Extension 1138300 We value your feedback. My manager is Natesha
> > Morrison (namorri), +1 (704) 430-4292
> >
> > -----Original Message-----
> > From: Kristian Smith <Kristian.Smith@microsoft.com>
> > Sent: Wednesday, November 24, 2021 8:40 AM
> > To: metze <metze@samba.org>; Alexander Bokovoy <ab@samba.org>
> > Cc: cifs-protocol@lists.samba.org
> > Subject: RE:[EXTERNAL] [cifs-protocol] Update of MS-PAC spec
> > regarding November 2021 security updates -
> > TrackingID#2111240040005432
> >
> > [DocHelp to Bcc]
> >
> > Hi Alexander and Metze,
> >
> > Thank you for your request. The case number 2111240040005432 has
> > been created for this inquiry. One of our team members will follow-
> > up with you soon.
> >
> > Regards,
> > Kristian
> >
> > Kristian Smith
> > Support Escalation Engineer
> > Windows Open Spec Protocols
> > Office: (425) 421-4442
> > krsmith@microsoftsupport.com
> >
> >
> >
> > -----Original Message-----
> > From: metze <metze@samba.org>
> > Sent: Wednesday, November 24, 2021 2:13 AM
> > To: Alexander Bokovoy <ab@samba.org>; Interoperability Documentation
> > Help <dochelp@microsoft.com>
> > Cc: cifs-protocol@lists.samba.org
> > Subject: [EXTERNAL] Re: [cifs-protocol] Update of MS-PAC spec
> > regarding November 2021 security updates
> >
> >
> > Am 24.11.21 um 10:33 schrieb Alexander Bokovoy via cifs-protocol:
> > > Hello dochelp,
> > >
> > > I can see inconsistency in what is published on
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > > do
> > > cs
> > > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > > pac%2F&a
> > > mp
> > > ;data=04%7C01%7CKristian.Smith%40microsoft.com%7C976b8182b4b84582
> > > f4b
> > > d0
> > > 8d9af334186%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63773345
> > > 695
> > > 97
> > > 45681%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> > > iLC
> > > JB
> > > TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7gzSojo9ov6Uwx80K%2Fw
> > > OQG
> > > hB
> > > drb8oxqR%2F7yid5vn8tQ%3D&reserved=0
> > > with regards to the changes introduced as a part of the Microsoft
> > > Windows security update of November 2021. Could this inconsistency
> > > be clarified by publishing the new revision of the MS-PAC
> > > document?
> > >
> > > Errata document[1] talks about changes dated 2021/11/11 post
> > > V22.0
> > > but the rest of the linked documents are only V22.0.
> > >
> > > In particular, the errata document[1] is saying:
> > >
> > > -----
> > > The following sections were changed or added. Please see the diff
> > > document for the details.
> > >
> > > In section 2.10 UPN_DNS_INFO, added four new fields and a flag to
> > > the UPN_DNS_INFO structure.
> > >
> > > In section 2.14 PAC_ATTRIBUTES_INFO, added section.
> > >
> > > In section 2.15 PAC_REQUESTOR, added section.
> > > -----
> > >
> > > The document published, however, does not have these changes.
> > > The
> > > last section in chapter 2 is '14', there is no section 2.15.
> >
> > I'm seeing it here:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwi
> > np
> > rotocoldoc.blob.core.windows.net%2Fproductionwindowsarchives%2FMS-
> > PAC%
> > 2F%255bMS-PAC%255d-20211109-
> > diff.pdf&data=04%7C01%7Cjeffm%40micros
> > oft.com%7C64d8ce9cb0ed47229a7108d9b36b494d%7C72f988bf86f141af91ab2d
> > 7cd
> > 011db47%7C1%7C0%7C637738097041974427%7CUnknown%7CTWFpbGZsb3d8eyJWIj
> > oiM
> > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&am
> > p;s
> > data=HLuGYQaoS0rr6euFqjhik98CZry2AlUYYIfaKciLBNo%3D&reserved=0
> >
> > But for me the PAC_ATTRIBUTES_INFO documentation is a bit unclear:
> >
> > We have this in Samba:
> > typedef [bitmap32bit] bitmap {
> > PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
> > PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY =
> > 0x00000002
> > } PAC_ATTRIBUTE_INFO_FLAGS;
> >
> > typedef struct {
> > uint32 flags_length; /* length in bits */
> > PAC_ATTRIBUTE_INFO_FLAGS flags;
> > } PAC_ATTRIBUTES_INFO;
> >
> > And the documentation has:
> >
> > FlagsLength (4 bytes): An unsigned 32-bit integer in little-
> > endian format that describes the length,
> > in bits, of the Flags field.
> >
> > Flags (variable): an array of 32-bit unsigned integers in little-
> > endian format that contains flag bits
> > describing the PAC.
> >
> > It's not really clear that the array size is
> > '((int)(flags_length/32))+1', for now it's seems to be just a single
> > uint32 element with two defined flags. Unless bit 33 will be defined
> > someday, it would be easier to have it as
> >
> > typedef struct {
> > uint32 number_of_valid_flags;
> > uint32 flags;
> > } PAC_ATTRIBUTES_INFO;
> >
> > which is basically what we currently have in Samba, but in theory it
> > would have to be
> >
> > typedef struct {
> > uint32 number_of_valid_flags;
> > uint32 flags[(number_of_valid_flags/32)+1];
> > } PAC_ATTRIBUTES_INFO;
> >
> > metze
>
> --
> / Alexander Bokovoy
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol@lists.samba.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=04%7C01%7Cje
> ffm%40microsoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637738912809171502%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C3000&sdata=Bm0lAUangDiZgBGiXdsTLsRyhUdugAKyVPEgRJ3kuLU%3D&re
> served=0
--
Andrew Bartlett (he/him) \
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartle \
t%2F&data=04%7C01%7Cjeffm%40microsoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f \
988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637738912809171502%7CUnknown%7CTWFpbGZsb3d8eyJ \
WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=E9lD3k7qdzQ1QXMwy9J1raTKFxG6CQunauxUm1WMpC4%3D&reserved=0
Samba Team Member (since 2001) \
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&dat \
a=04%7C01%7Cjeffm%40microsoft.com%7Cb34d31f262d84209e2bd08d9b42960af%7C72f988bf86f141a \
f91ab2d7cd011db47%7C1%7C0%7C637738912809171502%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA \
wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=t99fCLF6VdZ6puVgJsByOyRH80ESYTE2RNqL%2FJDeo2E%3D&reserved=0
Samba Team Lead, Catalyst IT \
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fse \
rvices%2Fsamba&data=04%7C01%7Cjeffm%40microsoft.com%7Cb34d31f262d84209e2bd08d9b429 \
60af%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637738912809171502%7CUnknown%7CTWFpb \
GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wSj5JEKrluQAXJtEdm7PJcgIENHae1bLavQV4yLbNLA%3D&reserved=0
Samba Development and Support, Catalyst IT - Expert Open Source Solutions
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic