1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3:libsmb: start encryption as soon as possible after the session setup

For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon,
if there's no tcon yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Stefan Metzmacher 2021-08-11 14:33:24 +02:00 committed by Jeremy Allison
parent c013509680
commit 21302649c4

View File

@ -50,6 +50,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
uint16_t major, minor;
uint32_t caplow, caphigh;
NTSTATUS status;
bool temp_ipc = false;
if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
status = smb2cli_session_encryption_on(c->smb2.session);
@ -72,12 +73,26 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
return NT_STATUS_NOT_SUPPORTED;
}
if (c->smb1.tcon == NULL) {
status = cli_tree_connect_creds(c, "IPC$", "IPC", creds);
if (!NT_STATUS_IS_OK(status)) {
d_printf("Encryption required and "
"can't connect to IPC$ to check "
"UNIX CIFS extensions.\n");
return NT_STATUS_UNKNOWN_REVISION;
}
temp_ipc = true;
}
status = cli_unix_extensions_version(c, &major, &minor, &caplow,
&caphigh);
if (!NT_STATUS_IS_OK(status)) {
d_printf("Encryption required and "
"can't get UNIX CIFS extensions "
"version from server.\n");
if (temp_ipc) {
cli_tdis(c);
}
return NT_STATUS_UNKNOWN_REVISION;
}
@ -85,6 +100,9 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
d_printf("Encryption required and "
"share %s doesn't support "
"encryption.\n", sharename);
if (temp_ipc) {
cli_tdis(c);
}
return NT_STATUS_UNSUPPORTED_COMPRESSION;
}
@ -93,9 +111,15 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
d_printf("Encryption required and "
"setup failed with error %s.\n",
nt_errstr(status));
if (temp_ipc) {
cli_tdis(c);
}
return status;
}
if (temp_ipc) {
cli_tdis(c);
}
return NT_STATUS_OK;
}
@ -217,6 +241,22 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
DEBUG(4,(" session setup ok\n"));
if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
status = cli_cm_force_encryption_creds(c,
creds,
sharename);
if (!NT_STATUS_IS_OK(status)) {
switch (encryption_state) {
case SMB_ENCRYPTION_DESIRED:
break;
case SMB_ENCRYPTION_REQUIRED:
default:
cli_shutdown(c);
return status;
}
}
}
/* here's the fun part....to support 'msdfs proxy' shares
(on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL
here before trying to connect to the original share.
@ -241,22 +281,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
return status;
}
if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
status = cli_cm_force_encryption_creds(c,
creds,
sharename);
if (!NT_STATUS_IS_OK(status)) {
switch (encryption_state) {
case SMB_ENCRYPTION_DESIRED:
break;
case SMB_ENCRYPTION_REQUIRED:
default:
cli_shutdown(c);
return status;
}
}
}
DEBUG(4,(" tconx ok\n"));
*pcli = c;
return NT_STATUS_OK;