From 21302649c46441ea325c66457294225ddb1d6235 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Aug 2021 14:33:24 +0200 Subject: [PATCH] s3:libsmb: start encryption as soon as possible after the session setup For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon, if there's no tcon yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- source3/libsmb/clidfs.c | 56 +++++++++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index 040b957e6f8..5b64858ca33 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -50,6 +50,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, uint16_t major, minor; uint32_t caplow, caphigh; NTSTATUS status; + bool temp_ipc = false; if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) { status = smb2cli_session_encryption_on(c->smb2.session); @@ -72,12 +73,26 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, return NT_STATUS_NOT_SUPPORTED; } + if (c->smb1.tcon == NULL) { + status = cli_tree_connect_creds(c, "IPC$", "IPC", creds); + if (!NT_STATUS_IS_OK(status)) { + d_printf("Encryption required and " + "can't connect to IPC$ to check " + "UNIX CIFS extensions.\n"); + return NT_STATUS_UNKNOWN_REVISION; + } + temp_ipc = true; + } + status = cli_unix_extensions_version(c, &major, &minor, &caplow, &caphigh); if (!NT_STATUS_IS_OK(status)) { d_printf("Encryption required and " "can't get UNIX CIFS extensions " "version from server.\n"); + if (temp_ipc) { + cli_tdis(c); + } return NT_STATUS_UNKNOWN_REVISION; } @@ -85,6 +100,9 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, d_printf("Encryption required and " "share %s doesn't support " "encryption.\n", sharename); + if (temp_ipc) { + cli_tdis(c); + } return NT_STATUS_UNSUPPORTED_COMPRESSION; } @@ -93,9 +111,15 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, d_printf("Encryption required and " "setup failed with error %s.\n", nt_errstr(status)); + if (temp_ipc) { + cli_tdis(c); + } return status; } + if (temp_ipc) { + cli_tdis(c); + } return NT_STATUS_OK; } @@ -217,6 +241,22 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, DEBUG(4,(" session setup ok\n")); + if (encryption_state >= SMB_ENCRYPTION_DESIRED) { + status = cli_cm_force_encryption_creds(c, + creds, + sharename); + if (!NT_STATUS_IS_OK(status)) { + switch (encryption_state) { + case SMB_ENCRYPTION_DESIRED: + break; + case SMB_ENCRYPTION_REQUIRED: + default: + cli_shutdown(c); + return status; + } + } + } + /* here's the fun part....to support 'msdfs proxy' shares (on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL here before trying to connect to the original share. @@ -241,22 +281,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, return status; } - if (encryption_state >= SMB_ENCRYPTION_DESIRED) { - status = cli_cm_force_encryption_creds(c, - creds, - sharename); - if (!NT_STATUS_IS_OK(status)) { - switch (encryption_state) { - case SMB_ENCRYPTION_DESIRED: - break; - case SMB_ENCRYPTION_REQUIRED: - default: - cli_shutdown(c); - return status; - } - } - } - DEBUG(4,(" tconx ok\n")); *pcli = c; return NT_STATUS_OK;