mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:libsmb: start encryption as soon as possible after the session setup
For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon, if there's no tcon yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
c013509680
commit
21302649c4
@ -50,6 +50,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
||||
uint16_t major, minor;
|
||||
uint32_t caplow, caphigh;
|
||||
NTSTATUS status;
|
||||
bool temp_ipc = false;
|
||||
|
||||
if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
|
||||
status = smb2cli_session_encryption_on(c->smb2.session);
|
||||
@ -72,12 +73,26 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
||||
return NT_STATUS_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
if (c->smb1.tcon == NULL) {
|
||||
status = cli_tree_connect_creds(c, "IPC$", "IPC", creds);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
d_printf("Encryption required and "
|
||||
"can't connect to IPC$ to check "
|
||||
"UNIX CIFS extensions.\n");
|
||||
return NT_STATUS_UNKNOWN_REVISION;
|
||||
}
|
||||
temp_ipc = true;
|
||||
}
|
||||
|
||||
status = cli_unix_extensions_version(c, &major, &minor, &caplow,
|
||||
&caphigh);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
d_printf("Encryption required and "
|
||||
"can't get UNIX CIFS extensions "
|
||||
"version from server.\n");
|
||||
if (temp_ipc) {
|
||||
cli_tdis(c);
|
||||
}
|
||||
return NT_STATUS_UNKNOWN_REVISION;
|
||||
}
|
||||
|
||||
@ -85,6 +100,9 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
||||
d_printf("Encryption required and "
|
||||
"share %s doesn't support "
|
||||
"encryption.\n", sharename);
|
||||
if (temp_ipc) {
|
||||
cli_tdis(c);
|
||||
}
|
||||
return NT_STATUS_UNSUPPORTED_COMPRESSION;
|
||||
}
|
||||
|
||||
@ -93,9 +111,15 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
||||
d_printf("Encryption required and "
|
||||
"setup failed with error %s.\n",
|
||||
nt_errstr(status));
|
||||
if (temp_ipc) {
|
||||
cli_tdis(c);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
if (temp_ipc) {
|
||||
cli_tdis(c);
|
||||
}
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
@ -217,6 +241,22 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
||||
|
||||
DEBUG(4,(" session setup ok\n"));
|
||||
|
||||
if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
||||
status = cli_cm_force_encryption_creds(c,
|
||||
creds,
|
||||
sharename);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
switch (encryption_state) {
|
||||
case SMB_ENCRYPTION_DESIRED:
|
||||
break;
|
||||
case SMB_ENCRYPTION_REQUIRED:
|
||||
default:
|
||||
cli_shutdown(c);
|
||||
return status;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* here's the fun part....to support 'msdfs proxy' shares
|
||||
(on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL
|
||||
here before trying to connect to the original share.
|
||||
@ -241,22 +281,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
||||
return status;
|
||||
}
|
||||
|
||||
if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
||||
status = cli_cm_force_encryption_creds(c,
|
||||
creds,
|
||||
sharename);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
switch (encryption_state) {
|
||||
case SMB_ENCRYPTION_DESIRED:
|
||||
break;
|
||||
case SMB_ENCRYPTION_REQUIRED:
|
||||
default:
|
||||
cli_shutdown(c);
|
||||
return status;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
DEBUG(4,(" tconx ok\n"));
|
||||
*pcli = c;
|
||||
return NT_STATUS_OK;
|
||||
|
Loading…
Reference in New Issue
Block a user